From a1c0cd11ac755062ae1c745dce9219d23154f0c8 Mon Sep 17 00:00:00 2001 From: JoostK Date: Sun, 9 Jan 2022 19:22:30 +0100 Subject: [PATCH] src: fix out-of-bounds check of serialization indices The usage of `CHECK_LE` to verify that the index is within bounds of a vector's size allows for reading one item past the vector's end, which is in invalid memory read. This commit fixes the off-by-one error by changing the bounds check to use `CHECK_LT`. --- src/node_messaging.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/node_messaging.cc b/src/node_messaging.cc index a1f28d4746d07f..aac1245f269a87 100644 --- a/src/node_messaging.cc +++ b/src/node_messaging.cc @@ -98,19 +98,19 @@ class DeserializerDelegate : public ValueDeserializer::Delegate { uint32_t id; if (!deserializer->ReadUint32(&id)) return MaybeLocal(); - CHECK_LE(id, host_objects_.size()); + CHECK_LT(id, host_objects_.size()); return host_objects_[id]->object(isolate); } MaybeLocal GetSharedArrayBufferFromId( Isolate* isolate, uint32_t clone_id) override { - CHECK_LE(clone_id, shared_array_buffers_.size()); + CHECK_LT(clone_id, shared_array_buffers_.size()); return shared_array_buffers_[clone_id]; } MaybeLocal GetWasmModuleFromId( Isolate* isolate, uint32_t transfer_id) override { - CHECK_LE(transfer_id, wasm_modules_.size()); + CHECK_LT(transfer_id, wasm_modules_.size()); return WasmModuleObject::FromCompiledModule( isolate, wasm_modules_[transfer_id]); }