From a3b5b9cbf2cb858bdb7c5e5b1e3c8b92c43a1c4a Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna@addaleax.net>
Date: Thu, 21 Apr 2016 11:04:31 +0200
Subject: src: fix out-of-bounds write in TwoByteValue

Plan 2 bytes instead of 1 byte for the final zero terminator
for UTF-16. This is unlikely to cause real-world problems,
but that ultimately depends on the `malloc` implementation.

The issue can be uncovered by running e.g.
`valgrind node -e "Buffer(65536).fill('a'.repeat(4096), 'utf16le')"`

Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/node/pull/6330
---
 src/util.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/util.cc')

diff --git a/src/util.cc b/src/util.cc
index 3b0278ceda..20325d0bed 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -47,7 +47,9 @@ TwoByteValue::TwoByteValue(Isolate* isolate, Local<Value> value)
     return;
 
   // Allocate enough space to include the null terminator
-  size_t len = StringBytes::StorageSize(isolate, string, UCS2) + 1;
+  size_t len =
+      StringBytes::StorageSize(isolate, string, UCS2) +
+      sizeof(uint16_t);
   if (len > sizeof(str_st_)) {
     str_ = static_cast<uint16_t*>(malloc(len));
     CHECK_NE(str_, nullptr);
-- 
cgit v1.2.3