buffer: out of bounds copy

ronag · ronag · commit 3fe04a8eea65 · 2024-10-04T11:28:12.000+02:00
Fixes: #54573
diff --git a/lib/v8.js b/lib/v8.js
@@ -368,7 +368,7 @@ class DefaultDeserializer extends Deserializer {
     }
     // Copy to an aligned buffer first.
     const buffer_copy = Buffer.allocUnsafe(byteLength);
-    copy(this.buffer, buffer_copy, 0, byteOffset, byteOffset + byteLength);
+    copy(this.buffer, buffer_copy, 0, byteOffset, byteLength);
     return new ctor(buffer_copy.buffer,
                     buffer_copy.byteOffset,
                     byteLength / BYTES_PER_ELEMENT);
diff --git a/test/parallel/test-v8-deserialize-buffer.js b/test/parallel/test-v8-deserialize-buffer.js
@@ -5,3 +5,7 @@ const v8 = require('v8');
 
 process.on('warning', common.mustNotCall());
 v8.deserialize(v8.serialize(Buffer.alloc(0)));
+v8.deserialize(v8.serialize({a: new Int32Array(1024)}))
+v8.deserialize(v8.serialize({b: new Int16Array(8192)}))
+v8.deserialize(v8.serialize({c: new Uint32Array(1024)}))
+v8.deserialize(v8.serialize({d: new Uint16Array(8192)}))

Original file line number	Diff line number	Diff line change
`@@ -368,7 +368,7 @@ class DefaultDeserializer extends Deserializer {`
`368`	`368`	`}`
`369`	`369`	`// Copy to an aligned buffer first.`
`370`	`370`	`const buffer_copy = Buffer.allocUnsafe(byteLength);`
`371`		`- copy(this.buffer, buffer_copy, 0, byteOffset, byteOffset + byteLength);`
	`371`	`+ copy(this.buffer, buffer_copy, 0, byteOffset, byteLength);`
`372`	`372`	`return new ctor(buffer_copy.buffer,`
`373`	`373`	`buffer_copy.byteOffset,`
`374`	`374`	`byteLength / BYTES_PER_ELEMENT);`