src: fix out-of-bounds check of serialization indices

The usage of `CHECK_LE` to verify that the index is within bounds of a vector's size allows for reading one item past the vector's end, which is in invalid memory read. This commit fixes the off-by-one error by changing the bounds check to use `CHECK_LT`. PR-URL: #41452 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
nodejs · Jan 14, 2022 · 7ac126b · 7ac126b
1 parent 5c0c459
commit 7ac126b
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/node_messaging.cc b/src/node_messaging.cc
@@ -98,19 +98,19 @@ class DeserializerDelegate : public ValueDeserializer::Delegate {
     uint32_t id;
     if (!deserializer->ReadUint32(&id))
       return MaybeLocal<Object>();
-    CHECK_LE(id, host_objects_.size());
+    CHECK_LT(id, host_objects_.size());
     return host_objects_[id]->object(isolate);
   }
 
   MaybeLocal<SharedArrayBuffer> GetSharedArrayBufferFromId(
       Isolate* isolate, uint32_t clone_id) override {
-    CHECK_LE(clone_id, shared_array_buffers_.size());
+    CHECK_LT(clone_id, shared_array_buffers_.size());
     return shared_array_buffers_[clone_id];
   }
 
   MaybeLocal<WasmModuleObject> GetWasmModuleFromId(
       Isolate* isolate, uint32_t transfer_id) override {
-    CHECK_LE(transfer_id, wasm_modules_.size());
+    CHECK_LT(transfer_id, wasm_modules_.size());
     return WasmModuleObject::FromCompiledModule(
         isolate, wasm_modules_[transfer_id]);
   }