v8: out of bounds copy

Fixes: #54573 Co-authored-by: ronag <[email protected]> Co-authored-by: ramidzkh <[email protected]>
nodejs · Oct 4, 2024 · 3d3950f · 3d3950f
1 parent d2ad9b4
commit 3d3950f
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/lib/v8.js b/lib/v8.js
@@ -49,7 +49,6 @@ if (internalBinding('config').hasInspector) {
 }
 
 const assert = require('internal/assert');
-const { copy } = internalBinding('buffer');
 const { inspect } = require('internal/util/inspect');
 const { FastBuffer } = require('internal/buffer');
 const { getValidatedPath } = require('internal/fs/utils');
@@ -368,7 +367,7 @@ class DefaultDeserializer extends Deserializer {
     }
     // Copy to an aligned buffer first.
     const buffer_copy = Buffer.allocUnsafe(byteLength);
-    copy(this.buffer, buffer_copy, 0, byteOffset, byteOffset + byteLength);
+    this.buffer.copy(buffer_copy, 0, byteOffset, byteOffset + byteLength);
     return new ctor(buffer_copy.buffer,
                     buffer_copy.byteOffset,
                     byteLength / BYTES_PER_ELEMENT);

diff --git a/test/parallel/test-v8-deserialize-buffer.js b/test/parallel/test-v8-deserialize-buffer.js
@@ -5,3 +5,7 @@ const v8 = require('v8');
 
 process.on('warning', common.mustNotCall());
 v8.deserialize(v8.serialize(Buffer.alloc(0)));
+v8.deserialize(v8.serialize({a: new Int32Array(1024)}));
+v8.deserialize(v8.serialize({b: new Int16Array(8192)}));
+v8.deserialize(v8.serialize({c: new Uint32Array(1024)}));
+v8.deserialize(v8.serialize({d: new Uint16Array(8192)}));