diff options
| author |  Jarred Sumner <709451+Jarred-Sumner@users.noreply.github.com>
| 2023-01-16 15:48:14 -0800 |
|---|---|---|
| committer | Jarred Sumner <709451+Jarred-Sumner@users.noreply.github.com>
| 2023-01-16 15:48:14 -0800 |
| commit | d54e23ca33cc95199a58d958abf990d9a6e1eb26 (patch) | |
| tree | 07f137e7506a6535077da0afa5ecbef5cc807c01 | |
| parent | 02f0212cbd8e834d16057d0eaf9b35eef4954866 (diff) | |
| download | bun-d54e23ca33cc95199a58d958abf990d9a6e1eb26.tar.gz bun-d54e23ca33cc95199a58d958abf990d9a6e1eb26.tar.zst bun-d54e23ca33cc95199a58d958abf990d9a6e1eb26.zip | |
[napi] Fix potential crash in `napi_create_buffer_copy`, `napi_create_buffer`
| -rw-r--r-- | src/bun.js/bindings/Buffer.h | 1 | ||||
| -rw-r--r-- | src/bun.js/bindings/JSBuffer.cpp | 2 | ||||
| -rw-r--r-- | src/bun.js/bindings/bindings.zig | 7 | ||||
| -rw-r--r-- | src/napi/napi.zig | 30 |
4 files changed, 26 insertions, 14 deletions
diff --git a/src/bun.js/bindings/Buffer.h b/src/bun.js/bindings/Buffer.h index 9acef1400..fecc627a1 100644 --- a/src/bun.js/bindings/Buffer.h +++ b/src/bun.js/bindings/Buffer.h @@ -12,6 +12,7 @@ #include "JavaScriptCore/JSBase.h" #include "headers-handwritten.h" +extern "C" JSC::EncodedJSValue JSBuffer__bufferFromLength(JSC::JSGlobalObject* lexicalGlobalObject, int64_t length); extern "C" JSC::EncodedJSValue JSBuffer__bufferFromPointerAndLengthAndDeinit(JSC::JSGlobalObject* lexicalGlobalObject, char* ptr, size_t length, void* ctx, JSTypedArrayBytesDeallocator bytesDeallocator); extern "C" JSC::EncodedJSValue Bun__encoding__toString(const uint8_t* input, size_t len, JSC::JSGlobalObject* globalObject, Encoding encoding); extern "C" JSC::EncodedJSValue Bun__encoding__toStringUTF8(const uint8_t* input, size_t len, JSC::JSGlobalObject* globalObject); diff --git a/src/bun.js/bindings/JSBuffer.cpp b/src/bun.js/bindings/JSBuffer.cpp index 4299286eb..378bc4d13 100644 --- a/src/bun.js/bindings/JSBuffer.cpp +++ b/src/bun.js/bindings/JSBuffer.cpp @@ -223,7 +223,7 @@ static inline JSC::JSUint8Array* JSBuffer__bufferFromLengthAsArray(JSC::JSGlobal RELEASE_AND_RETURN(throwScope, uint8Array); } -EncodedJSValue JSBuffer__bufferFromLength(JSC::JSGlobalObject* lexicalGlobalObject, int64_t length) +extern "C" EncodedJSValue JSBuffer__bufferFromLength(JSC::JSGlobalObject* lexicalGlobalObject, int64_t length) { return JSC::JSValue::encode(JSBuffer__bufferFromLengthAsArray(lexicalGlobalObject, length)); } diff --git a/src/bun.js/bindings/bindings.zig b/src/bun.js/bindings/bindings.zig index 1bee13fc0..a7bede295 100644 --- a/src/bun.js/bindings/bindings.zig +++ b/src/bun.js/bindings/bindings.zig @@ -2802,6 +2802,13 @@ pub const JSValue = enum(JSValueReprInt) { return cppFn("makeWithNameAndPrototype", .{ globalObject, class, instance, name_ }); } + pub fn createBufferFromLength(globalObject: *JSGlobalObject, len: usize) JSValue { + JSC.markBinding(@src()); + return JSBuffer__bufferFromLength(globalObject, @intCast(i64, len)); + } + + extern fn JSBuffer__bufferFromLength(*JSGlobalObject, i64) JSValue; + /// Must come from globally-allocated memory if allocator is not null pub fn createBuffer(globalObject: *JSGlobalObject, slice: []u8, allocator: ?std.mem.Allocator) JSValue { JSC.markBinding(@src()); diff --git a/src/napi/napi.zig b/src/napi/napi.zig index da7191590..208858bd8 100644 --- a/src/napi/napi.zig +++ b/src/napi/napi.zig @@ -1058,12 +1058,14 @@ pub export fn napi_fatal_error(location_ptr: ?[*:0]const u8, location_len: usize bun.Global.panic("napi: {s}", .{message}); } -pub export fn napi_create_buffer(env: napi_env, length: usize, data: [*]*anyopaque, result: *napi_value) napi_status { - var buf = JSC.ExternalBuffer.create(null, @ptrCast([*]u8, data)[0..length], env, null, env.bunVM().allocator) catch { - return .generic_failure; - }; - - result.* = buf.toJS(env); +pub export fn napi_create_buffer(env: napi_env, length: usize, data: ?**anyopaque, result: *napi_value) napi_status { + var buffer = JSC.JSValue.createBufferFromLength(env, length); + if (length > 0) { + if (data) |ptr| { + ptr.* = buffer.asArrayBuffer(env).?.ptr; + } + } + result.* = buffer; return .ok; } pub export fn napi_create_external_buffer(env: napi_env, length: usize, data: ?*anyopaque, finalize_cb: napi_finalize, finalize_hint: ?*anyopaque, result: *napi_value) napi_status { @@ -1075,15 +1077,17 @@ pub export fn napi_create_external_buffer(env: napi_env, length: usize, data: ?* return .ok; } pub export fn napi_create_buffer_copy(env: napi_env, length: usize, data: [*]u8, result_data: ?*?*anyopaque, result: *napi_value) napi_status { - var duped = env.bunVM().allocator.alloc(u8, length) catch { - return .generic_failure; - }; - @memcpy(duped.ptr, data, length); - if (result_data) |res| { - res.* = duped.ptr; + var buffer = JSC.JSValue.createBufferFromLength(env, length); + if (buffer.asArrayBuffer(env)) |array_buf| { + if (length > 0) { + @memcpy(array_buf.slice().ptr, data, length); + } + if (result_data) |ptr| { + ptr.* = if (length > 0) array_buf.ptr else null; + } } - result.* = JSC.JSValue.createBuffer(env, duped, env.bunVM().allocator); + result.* = buffer; return .ok; } |