buffer: validate copyArrayBuffer offsets against buffer length

iliaal · iliaal · commit bd8f96e0ac3c · 2026-06-14T10:03:25.000-04:00
CopyArrayBuffer() computed `byteLength - offset` in unsigned arithmetic
before its CHECK_GE bounds check. An offset greater than the buffer
length wrapped the subtraction to a near-SIZE_MAX value, so the check
passed and memcpy() copied out of bounds.

process.binding('buffer').copyArrayBuffer() is an internal, trusted
binding; the only in-tree caller, the Web Streams BYOB reader, already
validates the offsets in JS. Assert the offsets are within bounds with
CHECK_LE before the subtractions so the invariant holds regardless of
caller, matching the CHECK-based style already used here.

Signed-off-by: Ilia Alshanetsky &lt;ilia@ilia.ws&gt;
diff --git a/src/node_buffer.cc b/src/node_buffer.cc
@@ -1569,6 +1569,10 @@ void CopyArrayBuffer(const FunctionCallbackInfo<Value>& args) {
   uint32_t source_offset = args[3].As<Uint32>()->Value();
   size_t bytes_to_copy = args[4].As<Uint32>()->Value();
 
+  // Assert the offsets are within bounds before the subtractions below, which
+  // would otherwise underflow and defeat the bytes_to_copy bounds checks.
+  CHECK_LE(destination_offset, destination_byte_length);
+  CHECK_LE(source_offset, source_byte_length);
   CHECK_GE(destination_byte_length - destination_offset, bytes_to_copy);
   CHECK_GE(source_byte_length - source_offset, bytes_to_copy);
 
