Do not attempt to perform OOB write in writeCString

addaleax · addaleax · commit 0d8234e38e05 · 2020-08-05T21:10:29.000+02:00
Include the nul terminator in the size computation. Otherwise, Node.js may throw an exception when `.writeUInt8` is called. Fixes: #40
diff --git a/lib/ref.js b/lib/ref.js
@@ -578,7 +578,7 @@ exports.writeCString = function writeCString (buffer, offset, string, encoding)
   if (!encoding) {
     encoding = 'utf8';
   }
-  const size = buffer.length - offset;
+  const size = buffer.length - offset - 1;
   const len = buffer.write(string, offset, size, encoding);
   buffer.writeUInt8(0, offset + len);  // NUL terminate
 }
diff --git a/test/string.js b/test/string.js
@@ -31,6 +31,20 @@ describe('C string', function() {
       }
       assert.strictEqual(0, buf[str.length]);
     });
+
+    it('should not write the terminating 0 out of bounds', function() {
+      const wholebuf = Buffer.alloc(20, 127);
+      const buf = wholebuf.subarray(0, 10);
+      const str = 'hello world';
+      buf.writeCString(str);
+      for (let i = 0; i < buf.length - 1; i++) {
+        assert.strictEqual(str.charCodeAt(i), buf[i]);
+      }
+      assert.strictEqual(0, buf[buf.length - 1]);
+      for (let i = buf.length; i < wholebuf.length; i++) {
+        assert.strictEqual(127, wholebuf[i]);
+      }
+    });
   });
 
   describe('allocCString()', function() {

Original file line number	Diff line number	Diff line change
`@@ -578,7 +578,7 @@ exports.writeCString = function writeCString (buffer, offset, string, encoding)`
`578`	`578`	`if (!encoding) {`
`579`	`579`	`encoding = 'utf8';`
`580`	`580`	`}`
`581`		`- const size = buffer.length - offset;`
	`581`	`+ const size = buffer.length - offset - 1;`
`582`	`582`	`const len = buffer.write(string, offset, size, encoding);`
`583`	`583`	`buffer.writeUInt8(0, offset + len); // NUL terminate`
`584`	`584`	`}`