`Buffer.concat` and `Buffer.copy` silently produce invalid results when the operation involves indices equal or greater than 2^32 · nodejs/node#55422

(19 留言) (0 反應) (0 負責人)JavaScript (117,218 star) (35,535 fork)batch import

bufferconfirmed-bughelp wantedregression

描述

Version

v22.9.0, v23.0.0

Platform

Windows 11 x64

Microsoft Windows NT 10.0.22631.0 x64

Subsystem

Buffer

What steps will reproduce the bug?

const largeBuffer = Buffer.alloc(2 ** 32 + 5)
largeBuffer.fill(111)

const result = Buffer.concat([largeBuffer])
console.log(result)

How often does it reproduce? Is there a required condition?

Consistent in v22.9.0 and v23.0.0

What is the expected behavior? Why is that the expected behavior?

All bytes of the return buffer produced by Buffer.concat([largeBuffer]) should be identical to the source:

In this example:

111, 111, 111, 111, 111, 111, 111, 111, 111, 111, 111, ....

What do you see instead?

In the returned buffer, first 5 bytes are 111, and all following ones are 0.

111, 111, 111, 111, 111, 0, 0, 0, 0, 0, 0, ....

The console.log(result) output looks like:

<Buffer 6f 6f 6f 6f 6f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... 4294967251
 more bytes>

Additional information

No response

貢獻者指南

技術棧: javascriptcpp
領域: backend
議題類型: bug
難度: 5
預計時間: over 1 week
活動狀態: active
清晰度: clear
前置要求: Node.js internalsC++ memory managementinteger overflow concepts
新手友善度: 15
研究方向: Investigate the C++ implementation of Buffer.concat and Buffer.copy in Node.js (src/node buffer.cc). Focus on how buffer lengths are handled when they exceed 2^32. Reproduce the bug and trace the internal calls to identify where the truncation occurs. Review the comments in the issue for potential areas of fix such as using size t instead of uint32 t.