From de1754a761378bf93abd5fd3c53cd88b55bf163f Mon Sep 17 00:00:00 2001
From: cjihrig <cjihrig@gmail.com>
Date: Sat, 4 Nov 2017 18:05:16 -0400
Subject: src: CHECK() for argument overflow in Spawn()

This commit adds checks for overflow to args and env in Spawn().
It seems extremely unlikely that either of these values would
overflow from a valid use case.

Fixes: https://github.com/nodejs/node/issues/15622
PR-URL: https://github.com/nodejs/node/pull/16761
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
---
 src/process_wrap.cc | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/process_wrap.cc')

diff --git a/src/process_wrap.cc b/src/process_wrap.cc
index c1148f9bfb..a73e4d9779 100644
--- a/src/process_wrap.cc
+++ b/src/process_wrap.cc
@@ -185,6 +185,8 @@ class ProcessWrap : public HandleWrap {
     if (!argv_v.IsEmpty() && argv_v->IsArray()) {
       Local<Array> js_argv = Local<Array>::Cast(argv_v);
       int argc = js_argv->Length();
+      CHECK_GT(argc + 1, 0);  // Check for overflow.
+
       // Heap allocate to detect errors. +1 is for nullptr.
       options.args = new char*[argc + 1];
       for (int i = 0; i < argc; i++) {
@@ -211,6 +213,7 @@ class ProcessWrap : public HandleWrap {
     if (!env_v.IsEmpty() && env_v->IsArray()) {
       Local<Array> env_opt = Local<Array>::Cast(env_v);
       int envc = env_opt->Length();
+      CHECK_GT(envc + 1, 0);  // Check for overflow.
       options.env = new char*[envc + 1];  // Heap allocated to detect errors.
       for (int i = 0; i < envc; i++) {
         node::Utf8Value pair(env->isolate(),
-- 
cgit v1.2.3