The variable-length readIntLE/UIntLE/BE and writeIntLE/UIntLE/BE only
rejected byteLength > 6. byteLength == 0 passed, the bounds check
"size + index > byte_length" degenerated to "index > byte_length", and
switch (size) fell through to the 6-byte arm, reading or writing 6 bytes
past an attacker-chosen offset. Require byteLength in [1, 6] as Node does.
}
size = (size_t) njs_number(value);
- if (njs_slow_path(size > 6)) {
- njs_type_error(vm, "\"byteLength\" must be <= 6");
+ if (njs_slow_path(size == 0 || size > 6)) {
+ njs_type_error(vm, "\"byteLength\" must be >= 1 and <= 6");
return NJS_ERROR;
}
}
}
size = (size_t) njs_number(value);
- if (njs_slow_path(size > 6)) {
- njs_type_error(vm, "\"byteLength\" must be <= 6");
+ if (njs_slow_path(size == 0 || size > 6)) {
+ njs_type_error(vm, "\"byteLength\" must be >= 1 and <= 6");
return NJS_ERROR;
}
}
return JS_EXCEPTION;
}
- if (size > 6) {
- return JS_ThrowRangeError(ctx, "\"byteLength\" must be <= 6");
+ if (size == 0 || size > 6) {
+ return JS_ThrowRangeError(ctx,
+ "\"byteLength\" must be >= 1 and <= 6");
}
}
return JS_EXCEPTION;
}
- if (size > 6) {
- return JS_ThrowRangeError(ctx, "\"byteLength\" must be <= 6");
+ if (size == 0 || size > 6) {
+ return JS_ThrowRangeError(ctx,
+ "\"byteLength\" must be >= 1 and <= 6");
}
}