njs_export_base64url_bignum() and qjs_export_base64url_bignum() wrote
BN_num_bytes() bytes into a fixed 512-byte stack buffer without a bound
check. An RSA key with a modulus larger than 4096 bits (over 512 bytes),
generated or imported via SPKI/PKCS8, overflowed the buffer during
exportKey("jwk").
While here, add exception throwing on a parallel import part in both
engines.
Reported by Vaibhav Rajput.
size = BN_num_bytes(v);
}
+ if (njs_slow_path(size > sizeof(buf))) {
+ njs_vm_range_error(vm, "JWK key too long: %uz > 512", size);
+ return NJS_ERROR;
+ }
+
if (njs_bn_bn2binpad(v, &buf[0], size) <= 0) {
return NJS_ERROR;
}
(void) njs_decode_base64url_length(&data, &decoded.length);
if (njs_slow_path(decoded.length > sizeof(buf))) {
+ njs_vm_range_error(vm, "JWK key too long: %uz > 512", decoded.length);
return NULL;
}
size = BN_num_bytes(v);
}
+ if (size > sizeof(buf)) {
+ JS_ThrowRangeError(cx, "JWK key too long: %zu > 512", size);
+ return JS_EXCEPTION;
+ }
+
if (njs_bn_bn2binpad(v, &buf[0], size) <= 0) {
JS_ThrowInternalError(cx, "njs_bn_bn2binpad() failed");
return JS_EXCEPTION;
if (decoded.length > sizeof(buf)) {
JS_ThrowRangeError(cx, "JWK key too long: %zu > 512", decoded.length);
+ JS_FreeCString(cx, (char *) data.start);
return NULL;
}