buffer: validate copyArrayBuffer offsets against buffer length#63904
Open
iliaal wants to merge 1 commit into
Open
buffer: validate copyArrayBuffer offsets against buffer length#63904iliaal wants to merge 1 commit into
iliaal wants to merge 1 commit into
Conversation
nodejs-github-bot
added
buffer
Renegade334
requested changes
Jun 14, 2026
Renegade334
left a comment
Renegade334
left a comment
Member
There was a problem hiding this comment.
The caller validates the arguments here, we do not provide guardrails for invoking C++ internals from userland.
That being said, an additional assertion to cover the invariant you've mentioned (eg. CHECK_LE(destination_offset, destination_byte_length) wouldn't go amiss.
iliaal
force-pushed
the
buffer-copyarraybuffer-bounds
branch
from
f277b81 to
1c547e6
Compare
Author
|
Agreed. Switched to assertions and dropped the CHECK_LE(destination_offset, destination_byte_length);
CHECK_LE(source_offset, source_byte_length);
CHECK_GE(destination_byte_length - destination_offset, bytes_to_copy);
CHECK_GE(source_byte_length - source_offset, bytes_to_copy);The |
Member
|
Please run |
CopyArrayBuffer() computed `byteLength - offset` in unsigned arithmetic
before its CHECK_GE bounds check. An offset greater than the buffer
length wrapped the subtraction to a near-SIZE_MAX value, so the check
passed and memcpy() copied out of bounds.
process.binding('buffer').copyArrayBuffer() is an internal, trusted
binding; the only in-tree caller, the Web Streams BYOB reader, already
validates the offsets in JS. Assert the offsets are within bounds with
CHECK_LE before the subtractions so the invariant holds regardless of
caller, matching the CHECK-based style already used here.
Signed-off-by: Ilia Alshanetsky <ilia@ilia.ws>
iliaal
force-pushed
the
buffer-copyarraybuffer-bounds
branch
from
1c547e6 to
bd8f96e
Compare
Author
|
Done |
Renegade334
approved these changes
Jun 14, 2026
Renegade334
added
author ready
github-actions
Bot
removed
the
request-ci
Collaborator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CopyArrayBuffer()computedbyteLength - offsetin unsigned arithmetic before itsCHECK_GEbounds check. An offset greater than the buffer length wrapped the subtraction to a near-SIZE_MAXvalue, so the check passed andmemcpy()copied out of bounds.The only in-tree caller is the Web Streams BYOB reader, which validates the offsets in JS via
canCopyArrayBuffer()before calling. The binding is also reachable directly throughprocess.binding('buffer').copyArrayBuffer(...), which bypasses that guard, so the offsets reach C++ unchecked. Only in-process (trusted) code can reach it, so this is a robustness fix, not a vulnerability.Validate the destination and source ranges in C++ and throw
ERR_OUT_OF_RANGE, as the other range checks innode_buffer.ccalready do.Reproduction before the change (in-process JS, no flags):
After the change the call throws
ERR_OUT_OF_RANGE.