buffer: make buflen in integer range

nodejs · Feb 26, 2024 · a21b523 · a21b523
1 parent 0951e7b
commit a21b523
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 12 deletions.
diff --git a/src/string_bytes.cc b/src/string_bytes.cc
@@ -244,6 +244,13 @@ static inline unsigned unhex(uint8_t x) {
   return unhex_table[x];
 }
 
+size_t keep_buflen_in_range(size_t len) {
+  if (len > static_cast<size_t>(std::numeric_limits<int>::max())) {
+    return static_cast<size_t>(std::numeric_limits<int>::max());
+  }
+  return len;
+}
+
 template <typename TypeName>
 static size_t hex_decode(char* buf,
                          size_t len,
@@ -306,7 +313,7 @@ size_t StringBytes::Write(Isolate* isolate,
                           enum encoding encoding) {
   HandleScope scope(isolate);
   size_t nbytes;
-
+  buflen = keep_buflen_in_range(buflen);
   CHECK(val->IsString() == true);
   Local<String> str = val.As<String>();
 
@@ -579,6 +586,7 @@ MaybeLocal<Value> StringBytes::Encode(Isolate* isolate,
       }
 
     case ASCII:
+      buflen = keep_buflen_in_range(buflen);
       if (simdutf::validate_ascii_with_errors(buf, buflen).error) {
         // The input contains non-ASCII bytes.
         char* out = node::UncheckedMalloc(buflen);
@@ -592,24 +600,24 @@ MaybeLocal<Value> StringBytes::Encode(Isolate* isolate,
         return ExternOneByteString::NewFromCopy(isolate, buf, buflen, error);
       }
 
-    case UTF8:
-      {
-        val = String::NewFromUtf8(isolate,
-                                  buf,
-                                  v8::NewStringType::kNormal,
-                                  buflen);
-        Local<String> str;
-        if (!val.ToLocal(&str)) {
-          *error = node::ERR_STRING_TOO_LONG(isolate);
-        }
-        return str;
+    case UTF8: {
+      buflen = keep_buflen_in_range(buflen);
+      val =
+          String::NewFromUtf8(isolate, buf, v8::NewStringType::kNormal, buflen);
+      Local<String> str;
+      if (!val.ToLocal(&str)) {
+        *error = node::ERR_STRING_TOO_LONG(isolate);
       }
+      return str;
+    }
 
     case LATIN1:
+      buflen = keep_buflen_in_range(buflen);
       return ExternOneByteString::NewFromCopy(isolate, buf, buflen, error);
 
     case BASE64: {
       size_t dlen = base64_encoded_size(buflen);
+      dlen = keep_buflen_in_range(dlen);
       char* dst = node::UncheckedMalloc(dlen);
       if (dst == nullptr) {
         *error = node::ERR_MEMORY_ALLOCATION_FAILED(isolate);
@@ -624,6 +632,7 @@ MaybeLocal<Value> StringBytes::Encode(Isolate* isolate,
 
     case BASE64URL: {
       size_t dlen = base64_encoded_size(buflen, Base64Mode::URL);
+      dlen = keep_buflen_in_range(dlen);
       char* dst = node::UncheckedMalloc(dlen);
       if (dst == nullptr) {
         *error = node::ERR_MEMORY_ALLOCATION_FAILED(isolate);
@@ -638,6 +647,7 @@ MaybeLocal<Value> StringBytes::Encode(Isolate* isolate,
 
     case HEX: {
       size_t dlen = buflen * 2;
+      dlen = keep_buflen_in_range(dlen);
       char* dst = node::UncheckedMalloc(dlen);
       if (dst == nullptr) {
         *error = node::ERR_MEMORY_ALLOCATION_FAILED(isolate);
@@ -651,6 +661,7 @@ MaybeLocal<Value> StringBytes::Encode(Isolate* isolate,
 
     case UCS2: {
       size_t str_len = buflen / 2;
+      str_len = keep_buflen_in_range(str_len);
       if (IsBigEndian()) {
         uint16_t* dst = node::UncheckedMalloc<uint16_t>(str_len);
         if (str_len != 0 && dst == nullptr) {

diff --git a/test/pummel/test-buffer-large-size.js b/test/pummel/test-buffer-large-size.js
@@ -0,0 +1,48 @@
+'use strict';
+const common = require('../common');
+
+// Test Buffer size larger than integer range
+const assert = require('assert');
+const {
+  SlowBuffer,
+} = require('buffer');
+const kStringMaxLength = require('buffer').constants.MAX_STRING_LENGTH;
+
+const stringTooLongError = {
+  message: `Cannot create a string longer than 0x${kStringMaxLength.toString(16)}` +
+    ' characters',
+  code: 'ERR_STRING_TOO_LONG',
+  name: 'Error',
+};
+
+const size = 2 ** 32;
+
+// Test Buffer.toString
+{
+  try {
+    assert.throws(() => Buffer(size).toString('utf8'), stringTooLongError);
+    assert.throws(() => SlowBuffer(size).toString('utf8'), stringTooLongError);
+    assert.throws(() => Buffer.alloc(size).toString('utf8'), stringTooLongError);
+    assert.throws(() => Buffer.allocUnsafe(size).toString('utf8'), stringTooLongError);
+    assert.throws(() => Buffer.allocUnsafeSlow(size).toString('utf8'), stringTooLongError);
+  } catch (e) {
+    if (e.code !== 'ERR_MEMORY_ALLOCATION_FAILED') {
+      throw e;
+    }
+    common.skip('insufficient space for Buffer.alloc');
+  }
+}
+
+// Test Buffer.write
+{
+  try {
+    const buf = Buffer.alloc(size);
+    assert.strictEqual(buf.write('a', 2, kStringMaxLength), 1);
+    assert.strictEqual(buf.write('a', 2, size), 1);
+  } catch (e) {
+    if (e.code !== 'ERR_MEMORY_ALLOCATION_FAILED') {
+      throw e;
+    }
+    common.skip('insufficient space for Buffer.alloc');
+  }
+}