buffer: fix silent data corruption with indices >= 2^32#62157
Closed
Felipeness wants to merge 1 commit intonodejs:mainfrom
Closed
buffer: fix silent data corruption with indices >= 2^32#62157Felipeness wants to merge 1 commit intonodejs:mainfrom
Felipeness wants to merge 1 commit intonodejs:mainfrom
Conversation
nodejs-github-bot
added
buffer
SlowCopy and FastCopy in node_buffer.cc used uint32_t for target_start, source_start, and to_copy parameters. When these values exceeded 2^32, they silently wrapped around, causing Buffer.copy and Buffer.concat to produce incorrect results with large buffers. Change CopyImpl parameters from uint32_t to size_t, SlowCopy to use IntegerValue (int64_t) instead of Uint32, and FastCopy to use uint64_t. Add a guard against negative int64_t values before casting to size_t to prevent potential out-of-bounds access. Note: other functions in node_buffer.cc (CopyArrayBuffer, StringWrite, FastByteLengthUtf8) have similar uint32_t limitations but are not addressed here to keep this change focused on the reported regression. Fixes: nodejs#55422
Felipeness
force-pushed
the
fix/buffer-copy-large-indices
branch
from
4a9feca to
4ab5e5a
Compare
Member
|
Duplicate of #61914. |
Author
|
Thanks for the heads up! I wasn't aware of #61914 when opening this. Closing as duplicate — that PR covers the same fix. One minor note for #61914: the test allocates 4GB+ buffers, so it might fit better in |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Buffer.copy()andBuffer.concat()silently produced incorrect results when operating with buffers whose size or copy offsets exceeded 2^32 bytes (4 GiB). This is a regression introduced in v22.7.0 by #54087.Root cause
SlowCopyandFastCopyinsrc/node_buffer.ccuseduint32_tfortarget_start,source_start, andto_copyparameters. Values exceeding 2^32 silently wrapped around due to integer overflow, causingmemmoveto write to the wrong position.Changes
CopyImplparameters fromuint32_ttosize_tSlowCopyto useIntegerValue(int64_t) instead ofAs<Uint32>()->Value()int64_tvalues before casting tosize_tFastCopyto useuint64_tparameters and return typeOut of scope
Other functions in
node_buffer.cc(CopyArrayBuffer,StringWrite,FastByteLengthUtf8) have similaruint32_tlimitations but are not addressed here to keep the change focused on the reported regression. These could be fixed in follow-up PRs.Test plan
Buffer.copy()withtargetStart >= 2^32writes to the correct positionBuffer.copy()crossing the 2^32-1 boundary writes correctlyBuffer.concat()with total result length > 2^32 preserves all datatest/pummel/and skips on 32-bit platforms and low-memory environmentsFixes: #55422