Skip to content

OOB read in Buffer.prototype.indexOf #62873

Open
#62711
Open
OOB read in Buffer.prototype.indexOf#62873
#62711
Labels
bufferIssues and PRs related to the buffer subsystem.securityIssues and PRs related to security.
@ChALkeR

Description

@ChALkeR
ChALkeR
opened on Apr 21, 2026

From @deepview-autofix:
Image

Not a vuln because this is not in any release yet

To reproduce (you need a pre-release or main):

Welcome to Node.js v26.0.0-nightly20260421eb54e709c7.
Type ".help" for more information.
> Buffer.alloc(1).indexOf(1,0,-10)
4
> Buffer.alloc(1).indexOf(2,0,-10)
65
> Buffer.alloc(1).indexOf(255,0,-10)
292
> Buffer.alloc(65).indexOf(1,0,-1)
104
> Buffer.alloc(65).indexOf(1,0,-1)
664
> Buffer.alloc(65).indexOf(1,0,-1)
14656
> Buffer.alloc(2048).indexOf(145,0,-1)
189041

Code involved:

node/src/node_buffer.cc

Lines 1187 to 1188 in b2248fd

size_t search_end = static_cast<size_t>(
std::min(end_i64, static_cast<int64_t>(buffer_length)));

Nothing validates limits on that, either in native side or in JS.

Regression since #62390

Metadata

Metadata

Assignees

No one assigned

    Labels

    bufferIssues and PRs related to the buffer subsystem.securityIssues and PRs related to security.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions