1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

src: fix out-of-bounds write in TwoByteValue

Browse Source 
Plan 2 bytes instead of 1 byte for the final zero terminator
for UTF-16. This is unlikely to cause real-world problems,
but that ultimately depends on the `malloc` implementation.

The issue can be uncovered by running e.g.
`valgrind node -e "Buffer(65536).fill('a'.repeat(4096), 'utf16le')"`

Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/node/pull/6330
This commit is contained in:
Anna Henningsen 2016-04-21 11:04:31 +02:00
parent 0e7d57af35
commit a3b5b9cbf2
No known key found for this signature in database
GPG Key ID: D8B9F5AEAE84E4CF
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/util.cc
View File

@ -47,7 +47,9 @@ TwoByteValue::TwoByteValue(Isolate* isolate, Local<Value> value)
return;
// Allocate enough space to include the null terminator
size_t len = StringBytes::StorageSize(isolate, string, UCS2) + 1;
size_t len =
StringBytes::StorageSize(isolate, string, UCS2) +
sizeof(uint16_t);
if (len > sizeof(str_st_)) {
str_ = static_cast<uint16_t*>(malloc(len));
CHECK_NE(str_, nullptr);