`Buffer.concat` and `Buffer.copy` silently produce invalid results when the operation involves indices equal or greater than 2^32 · nodejs/node#55422

(19 comments) (0 reactions) (0 assignees)JavaScript (117,218 stars) (35,535 forks)batch import

bufferconfirmed-bughelp wantedregression

説明

Version

v22.9.0, v23.0.0

Platform

Windows 11 x64

Microsoft Windows NT 10.0.22631.0 x64

Subsystem

Buffer

What steps will reproduce the bug?

const largeBuffer = Buffer.alloc(2 ** 32 + 5)
largeBuffer.fill(111)

const result = Buffer.concat([largeBuffer])
console.log(result)

How often does it reproduce? Is there a required condition?

Consistent in v22.9.0 and v23.0.0

What is the expected behavior? Why is that the expected behavior?

All bytes of the return buffer produced by Buffer.concat([largeBuffer]) should be identical to the source:

In this example:

111, 111, 111, 111, 111, 111, 111, 111, 111, 111, 111, ....

What do you see instead?

In the returned buffer, first 5 bytes are 111, and all following ones are 0.

111, 111, 111, 111, 111, 0, 0, 0, 0, 0, 0, ....

The console.log(result) output looks like:

<Buffer 6f 6f 6f 6f 6f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... 4294967251
 more bytes>

Additional information

No response

コントリビューターガイド

技術スタック: javascriptcpp
領域: backend
Issue 種別: bug
難度: 5
推定時間: over 1 week
活動状況: active
明確さ: clear
前提条件: Node.js internalsC++ memory managementinteger overflow concepts
初心者向け度: 15
調査方針: Investigate the C++ implementation of Buffer.concat and Buffer.copy in Node.js (src/node buffer.cc). Focus on how buffer lengths are handled when they exceed 2^32. Reproduce the bug and trace the internal calls to identify where the truncation occurs. Review the comments in the issue for potential areas of fix such as using size t instead of uint32 t.