src: guard against overflow in ParseArrayIndex()

ParseArrayIndex() would wrap around large (>=2^32) index values on
platforms where sizeof(int64_t) > sizeof(size_t).  Ensure that the
return value fits in a size_t.

PR-URL: #7497
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: James M Snell <[email protected]>

Author: bnoordhuis

src/node_buffer.cc

@@ -207,6 +207,11 @@ inline MUST_USE_RESULT bool ParseArrayIndex(Local<Value> arg,
   if (tmp_i < 0)
     return false;
 
+  // Check that the result fits in a size_t.
+  const uint64_t kSizeMax = static_cast<uint64_t>(static_cast<size_t>(-1));
+  if (static_cast<uint64_t>(tmp_i) > kSizeMax)
+    return false;
+
   *ret = static_cast<size_t>(tmp_i);
   return true;
 }

test/parallel/test-buffer-alloc.js

@@ -1454,6 +1454,13 @@ assert.throws(function() {
   Buffer.from(new ArrayBuffer(0), -1 >>> 0);
 }, /RangeError: 'offset' is out of bounds/);
 
+// ParseArrayIndex() should reject values that don't fit in a 32 bits size_t.
+assert.throws(() => {
+  const a = Buffer(1).fill(0);
+  const b = Buffer(1).fill(0);
+  a.copy(b, 0, 0x100000000, 0x100000001);
+}), /out of range index/;
+
 // Unpooled buffer (replaces SlowBuffer)
 const ubuf = Buffer.allocUnsafeSlow(10);
 assert(ubuf);