From: Dmitry Volyntsev Date: Thu, 10 Oct 2024 00:32:11 +0000 (-0700) Subject: Fixed heap-buffer-overflow in Buffer.prototype.indexOf(). X-Git-Tag: 0.8.7~13 X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=6c8084b666cfe5db5d9401e7dff7981b5b2eb100;p=njs.git Fixed heap-buffer-overflow in Buffer.prototype.indexOf(). Previously, when `from` argument was provided heap-buffer-overflow might happen due to lack of boundary check. `to = njs_min(to, length)` statement was also removed because it has no effect, `to` is equal to `length` here. The issue was introduced in 5d15a8d6 (0.8.5). This closes #794 issue on Github. --- diff --git a/src/njs_buffer.c b/src/njs_buffer.c index 07054bf0..0bd5b896 100644 --- a/src/njs_buffer.c +++ b/src/njs_buffer.c @@ -2228,7 +2228,10 @@ encoding: } else { to -= str.length - 1; - to = njs_min(to, length); + + if (from > to) { + goto done; + } } for (i = from; i != to; i += increment) { diff --git a/src/qjs_buffer.c b/src/qjs_buffer.c index 2487c633..5def5e63 100644 --- a/src/qjs_buffer.c +++ b/src/qjs_buffer.c @@ -1098,7 +1098,10 @@ encoding: } else { to -= str.length - 1; - to = njs_min(to, length); + + if (from > to) { + goto done; + } } for (i = from; i != to; i += increment) { @@ -1108,6 +1111,8 @@ encoding: } } +done: + JS_FreeValue(ctx, buffer); return JS_NewInt32(ctx, -1); } diff --git a/test/buffer.t.js b/test/buffer.t.js index 55227b3a..f47c62f7 100644 --- a/test/buffer.t.js +++ b/test/buffer.t.js @@ -473,6 +473,7 @@ let indexOf_tsuite = { { buf: Buffer.from('abcdef'), value: 'abc', offset: 1, expected: -1 }, { buf: Buffer.from('abcdef'), value: 'def', offset: 1, expected: 3 }, { buf: Buffer.from('abcdef'), value: 'def', offset: -3, expected: 3 }, + { buf: Buffer.from('abcdef'), value: 'efgh', offset: 4, expected: -1 }, { buf: Buffer.from('abcdef'), value: '626364', encoding: 'hex', expected: 1 }, { buf: Buffer.from('abcdef'), value: '626364', encoding: 'utf-128', exception: 'TypeError: "utf-128" encoding is not supported' },