]> git.kaiwu.me - njs.git/commit
Buffer: fix out-of-bounds access in readInt/writeInt with zero byteLength
authorDmitry Volyntsev <xeioex@nginx.com>
Fri, 12 Jun 2026 01:24:28 +0000 (18:24 -0700)
committerDmitry Volyntsev <xeioexception@gmail.com>
Tue, 16 Jun 2026 23:22:57 +0000 (16:22 -0700)
commite07124084a246ed40d2221da1e2f3e624e93588f
tree596612bc32404d161ff5c420284255424e7f4718
parentf28636838008d0ae756e983bee37b475cb84e706
Buffer: fix out-of-bounds access in readInt/writeInt with zero byteLength

The variable-length readIntLE/UIntLE/BE and writeIntLE/UIntLE/BE only
rejected byteLength > 6.  byteLength == 0 passed, the bounds check
"size + index > byte_length" degenerated to "index > byte_length", and
switch (size) fell through to the 6-byte arm, reading or writing 6 bytes
past an attacker-chosen offset.  Require byteLength in [1, 6] as Node does.
src/njs_buffer.c
src/qjs_buffer.c