Showing with 23 additions and 9 deletions.
  1. +14 −0 src/node_buffer.h
  2. +4 −4 src/node_crypto.cc
  3. +2 −2 src/node_file.cc
  4. +1 −1 src/node_http_parser.cc
  5. +2 −2 src/node_zlib.cc
14 src/node_buffer.h
View file
@@ -93,6 +93,20 @@ class NODE_EXTERN Buffer: public ObjectWrap {
return Buffer::Length(b->handle_);
}

// This is verbose to be explicit with inline commenting
static inline bool IsWithinBounds(size_t off, size_t len, size_t max) {
// Asking to seek too far into the buffer
// check to avoid wrapping in subsequent subtraction
if (off > max)
return false;

// Asking for more than is left over in the buffer
if (max - off < len)
return false;

// Otherwise we're in bounds
return true;
}

~Buffer();

8 src/node_crypto.cc
View file
@@ -1320,7 +1320,7 @@ Handle<Value> Connection::EncIn(const Arguments& args) {

size_t off = args[1]->Int32Value();
size_t len = args[2]->Int32Value();
if (off + len > buffer_length) {
if (!Buffer::IsWithinBounds(off, len, buffer_length)) {
return ThrowException(Exception::Error(
String::New("off + len > buffer.length")));
}
@@ -1361,7 +1361,7 @@ Handle<Value> Connection::ClearOut(const Arguments& args) {

size_t off = args[1]->Int32Value();
size_t len = args[2]->Int32Value();
if (off + len > buffer_length) {
if (!Buffer::IsWithinBounds(off, len, buffer_length)) {
return ThrowException(Exception::Error(
String::New("off + len > buffer.length")));
}
@@ -1437,7 +1437,7 @@ Handle<Value> Connection::EncOut(const Arguments& args) {

size_t off = args[1]->Int32Value();
size_t len = args[2]->Int32Value();
if (off + len > buffer_length) {
if (!Buffer::IsWithinBounds(off, len, buffer_length)) {
return ThrowException(Exception::Error(
String::New("off + len > buffer.length")));
}
@@ -1471,7 +1471,7 @@ Handle<Value> Connection::ClearIn(const Arguments& args) {

size_t off = args[1]->Int32Value();
size_t len = args[2]->Int32Value();
if (off + len > buffer_length) {
if (!Buffer::IsWithinBounds(off, len, buffer_length)) {
return ThrowException(Exception::Error(
String::New("off + len > buffer.length")));
}
4 src/node_file.cc
View file
@@ -733,7 +733,7 @@ static Handle<Value> Write(const Arguments& args) {
}

ssize_t len = args[3]->Int32Value();
if (off + len > buffer_length) {
if (!Buffer::IsWithinBounds(off, len, buffer_length)) {
return ThrowException(Exception::Error(
String::New("off + len > buffer.length")));
}
@@ -796,7 +796,7 @@ static Handle<Value> Read(const Arguments& args) {
}

len = args[3]->Int32Value();
if (off + len > buffer_length) {
if (!Buffer::IsWithinBounds(off, len, buffer_length)) {
return ThrowException(Exception::Error(
String::New("Length extends beyond buffer")));
}
2 src/node_http_parser.cc
View file
@@ -410,7 +410,7 @@ class Parser : public ObjectWrap {
}

size_t len = args[2]->Int32Value();
if (off+len > buffer_len) {
if (!Buffer::IsWithinBounds(off, len, buffer_len)) {
return ThrowException(Exception::Error(
String::New("off + len > buffer.length")));
}
4 src/node_zlib.cc
View file
@@ -155,15 +155,15 @@ class ZCtx : public ObjectWrap {
in_off = args[2]->Uint32Value();
in_len = args[3]->Uint32Value();

assert(in_off + in_len <= Buffer::Length(in_buf));
assert(Buffer::IsWithinBounds(in_off, in_len, Buffer::Length(in_buf)));
in = reinterpret_cast<Bytef *>(Buffer::Data(in_buf) + in_off);
}

assert(Buffer::HasInstance(args[4]));
Local<Object> out_buf = args[4]->ToObject();
out_off = args[5]->Uint32Value();
out_len = args[6]->Uint32Value();
assert(out_off + out_len <= Buffer::Length(out_buf));
assert(Buffer::IsWithinBounds(out_off, out_len, Buffer::Length(out_buf)));
out = reinterpret_cast<Bytef *>(Buffer::Data(out_buf) + out_off);

// build up the work request