From: Dmitry Volyntsev Date: Fri, 12 Jun 2026 01:34:26 +0000 (-0700) Subject: Buffer: fix infinite loop when filling from a zero-length typed array X-Git-Tag: 1.0.0~4 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/stylesheets/stylesheet.css?a=commitdiff_plain;h=8b0a1a87b1b3bdb20cac302a8dda6202b47dd39b;p=njs.git Buffer: fix infinite loop when filling from a zero-length typed array njs_buffer_fill_typed_array() advanced the destination by njs_min(byte_length, end - to) each iteration. When the fill source typed array was empty, the step was always zero and the loop spun forever, hanging the worker on attacker-controlled input. Zero-fill the range for an empty source, matching njs_buffer_fill_string() and the QuickJS qjs_buffer_fill(). --- diff --git a/src/njs_buffer.c b/src/njs_buffer.c index 988919fb..5bdab1a7 100644 --- a/src/njs_buffer.c +++ b/src/njs_buffer.c @@ -1919,6 +1919,11 @@ njs_buffer_fill_typed_array(njs_vm_t *vm, const njs_value_t *value, byte_length = arr_from->byte_length; from = &njs_typed_array_buffer(arr_from)->u.u8[arr_from->offset]; + if (byte_length == 0) { + memset(to, 0, end - to); + return NJS_OK; + } + if (njs_typed_array_buffer(arr_from)->u.u8 == buffer->u.u8) { while (to < end) { n = njs_min(byte_length, (size_t) (end - to)); diff --git a/test/buffer.t.js b/test/buffer.t.js index 898e259a..f110f83e 100644 --- a/test/buffer.t.js +++ b/test/buffer.t.js @@ -340,6 +340,8 @@ let fill_tsuite = { { buf: Buffer.from('abc'), value: Buffer.from('def'), expected: 'def' }, { buf: Buffer.from('abc'), value: Buffer.from('def'), detach_value: true, exception: 'TypeError: detached buffer' }, + { buf: Buffer.from('abc'), value: Buffer.from(''), expected: '\0\0\0' }, + { buf: Buffer.from('abc'), value_from_buf: [1, 1], expected: '\0\0\0' }, { buf: Buffer.from('def'), value: Buffer.from(new Uint8Array([0x60, 0x61, 0x62, 0x63]).buffer, 1), expected: 'abc' },