From 180643a0581b94e159898a552251b4eb41b037f3 Mon Sep 17 00:00:00 2001
From: islandryu <shimaryuhei@gmail.com>
Date: Sun, 11 Jan 2026 20:12:22 +0900
Subject: [PATCH] child_process: treat ipc length header as unsigned uint32

Fixes: https://github.com/nodejs/node/issues/61312
---
 lib/internal/child_process/serialization.js   |  4 +-
 ...cess-fork-advanced-header-serialization.js | 42 +++++++++++++++++++
 2 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 test/parallel/test-child-process-fork-advanced-header-serialization.js

diff --git a/lib/internal/child_process/serialization.js b/lib/internal/child_process/serialization.js
index 46bb1faaf9fc21..6078570a26fc7f 100644
--- a/lib/internal/child_process/serialization.js
+++ b/lib/internal/child_process/serialization.js
@@ -74,12 +74,12 @@ const advanced = {
     while (messageBufferHead.length >= 4) {
       // We call `readUInt32BE` manually here, because this is faster than first converting
       // it to a buffer and using `readUInt32BE` on that.
-      const fullMessageSize = (
+      const fullMessageSize = ((
         messageBufferHead[0] << 24 |
         messageBufferHead[1] << 16 |
         messageBufferHead[2] << 8 |
         messageBufferHead[3]
-      ) + 4;
+      ) >>> 0) + 4;
 
       if (channel[kMessageBufferSize] < fullMessageSize) break;
 
diff --git a/test/parallel/test-child-process-fork-advanced-header-serialization.js b/test/parallel/test-child-process-fork-advanced-header-serialization.js
new file mode 100644
index 00000000000000..27c15649e732d6
--- /dev/null
+++ b/test/parallel/test-child-process-fork-advanced-header-serialization.js
@@ -0,0 +1,42 @@
+'use strict';
+const common = require('../common');
+const assert = require('assert');
+const { fork } = require('child_process');
+const fs = require('fs');
+
+if (process.argv[2] === 'child-buffer') {
+  const v = process.argv[3];
+  const payload = Buffer.from([
+    (v >> 24) & 0xFF,
+    (v >> 16) & 0xFF,
+    (v >> 8) & 0xFF,
+    v & 0xFF,
+  ]);
+  const fd = process.channel?.fd;
+  if (fd === undefined) {
+    // skip test
+    process.exit(0);
+  }
+  fs.writeSync(fd, payload);
+  return;
+}
+
+const testCases = [
+  0x00000001,
+  0x7fffffff,
+  0x80000000,
+  0x80000001,
+  0xffffffff,
+];
+
+for (const size of testCases) {
+  const child = fork(__filename, ['child-buffer', size], {
+    serialization: 'advanced',
+    stdio: ['inherit', 'inherit', 'inherit', 'ipc'],
+  });
+
+  child.on('exit', common.mustCall((code, signal) => {
+    assert.strictEqual(code, 0);
+    assert.strictEqual(signal, null);
+  }));
+}