Skip to content

buffer: validate copyArrayBuffer offsets against buffer length#63904

Open
iliaal wants to merge 1 commit into
nodejs:mainfrom
iliaal:buffer-copyarraybuffer-bounds
Open

buffer: validate copyArrayBuffer offsets against buffer length#63904
iliaal wants to merge 1 commit into
nodejs:mainfrom
iliaal:buffer-copyarraybuffer-bounds

Conversation

@iliaal

@iliaal iliaal commented Jun 14, 2026

Copy link
Copy Markdown

CopyArrayBuffer() computed byteLength - offset in unsigned arithmetic before its CHECK_GE bounds check. An offset greater than the buffer length wrapped the subtraction to a near-SIZE_MAX value, so the check passed and memcpy() copied out of bounds.

The only in-tree caller is the Web Streams BYOB reader, which validates the offsets in JS via canCopyArrayBuffer() before calling. The binding is also reachable directly through process.binding('buffer').copyArrayBuffer(...), which bypasses that guard, so the offsets reach C++ unchecked. Only in-process (trusted) code can reach it, so this is a robustness fix, not a vulnerability.

Validate the destination and source ranges in C++ and throw ERR_OUT_OF_RANGE, as the other range checks in node_buffer.cc already do.

Reproduction before the change (in-process JS, no flags):

const b = process.binding('buffer');
b.copyArrayBuffer(new ArrayBuffer(1024), 1025, new ArrayBuffer(8), 0, 8);
// writes 8 bytes past the destination, corrupting the adjacent heap chunk

After the change the call throws ERR_OUT_OF_RANGE.

@iliaal
buffer: validate copyArrayBuffer offsets against buffer length
f277b81 
CopyArrayBuffer() computed `byteLength - offset` in unsigned arithmetic
before its CHECK_GE bounds check. An offset greater than the buffer
length wrapped the subtraction to a near-SIZE_MAX value, so the check
passed and memcpy() copied out of bounds.

The only in-tree caller, the Web Streams BYOB reader, already validates
the offsets in JS, but the binding is reachable directly through
process.binding('buffer'), which bypasses that guard. Validate the
destination and source ranges in C++ and throw ERR_OUT_OF_RANGE, as the
other range checks in this file already do.
@nodejs-github-bot nodejs-github-bot added buffer Issues and PRs related to the buffer subsystem. c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. labels Jun 14, 2026
Renegade334
Renegade334 requested changes Jun 14, 2026
View reviewed changes

@Renegade334 Renegade334 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The caller validates the arguments here, we do not provide guardrails for invoking C++ internals from userland.

That being said, an additional assertion to cover the invariant you've mentioned (eg. CHECK_LE(destination_offset, destination_byte_length) wouldn't go amiss.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Renegade334 Renegade334 Renegade334 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

buffer Issues and PRs related to the buffer subsystem. c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@iliaal @Renegade334 @nodejs-github-bot