src: harden SlicedString::ToString

Add some extra checks to make sure we won't crash when stringifying a (possibly corrupted) SlicedString. PR-URL: #332 Reviewed-By: Colin Ihrig <[email protected]>
nodejs · Jan 21, 2020 · bff9f5e · bff9f5e
1 parent e8896e0
commit bff9f5e
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/llv8-inl.h b/src/llv8-inl.h
@@ -826,6 +826,7 @@ inline std::string ConsString::ToString(Error& err) {
 inline std::string SlicedString::ToString(Error& err) {
  String parent = Parent(err);
  if (err.Fail()) return std::string();
+ RETURN_IF_INVALID(parent, std::string());
 
  // TODO - Remove when we add support for external strings
  // We can't use the offset and length safely if we get "(external)"
@@ -838,6 +839,7 @@ inline std::string SlicedString::ToString(Error& err) {
 
  Smi offset = Offset(err);
  if (err.Fail()) return std::string();
+ RETURN_IF_INVALID(offset, std::string());
 
  CheckedType<int32_t> length = Length(err);
  RETURN_IF_INVALID(length, std::string());
@@ -847,7 +849,7 @@ inline std::string SlicedString::ToString(Error& err) {
 
  int64_t off = offset.GetValue();
  int64_t tmp_size = tmp.size();
- if (off > tmp_size || *length > tmp_size) {
+ if (off > tmp_size || *length > tmp_size || *length < 0 || off < 0) {
  err = Error::Failure("Failed to display sliced string 0x%016" PRIx64
  " (offset = 0x%016" PRIx64
  ", length = %d) from parent string 0x%016" PRIx64