src: fix out-of-bounds write in TwoByteValue
Plan 2 bytes instead of 1 byte for the final zero terminator for UTF-16. This is unlikely to cause real-world problems, but that ultimately depends on the `malloc` implementation. The issue can be uncovered by running e.g. `valgrind node -e "Buffer(65536).fill('a'.repeat(4096), 'utf16le')"` Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> PR-URL: https://github.com/nodejs/node/pull/6330
This commit is contained in:
parent
0e7d57af35
commit
a3b5b9cbf2
@ -47,7 +47,9 @@ TwoByteValue::TwoByteValue(Isolate* isolate, Local<Value> value)
|
||||
return;
|
||||
|
||||
// Allocate enough space to include the null terminator
|
||||
size_t len = StringBytes::StorageSize(isolate, string, UCS2) + 1;
|
||||
size_t len =
|
||||
StringBytes::StorageSize(isolate, string, UCS2) +
|
||||
sizeof(uint16_t);
|
||||
if (len > sizeof(str_st_)) {
|
||||
str_ = static_cast<uint16_t*>(malloc(len));
|
||||
CHECK_NE(str_, nullptr);
|
||||
|
Loading…
x
Reference in New Issue
Block a user