deps: fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806

santigimeno · marco-ippolito · commit 3d27175c42a4 · 2024-02-12T16:19:04.000+01:00
Refs: GHSA-f74f-cvh7-c6q6 PR-URL: #51614
diff --git a/deps/uv/src/idna.c b/deps/uv/src/idna.c
@@ -274,6 +274,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
   char* ds;
   int rc;
 
+  if (s == se)
+    return UV_EINVAL;
+
   ds = d;
 
   si = s;
@@ -308,8 +311,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
       return rc;
   }
 
-  if (d < de)
-    *d++ = '\0';
+  if (d >= de)
+    return UV_EINVAL;
 
+  *d++ = '\0';
   return d - ds;  /* Number of bytes written. */
 }
diff --git a/deps/uv/test/test-idna.c b/deps/uv/test/test-idna.c
@@ -99,6 +99,7 @@ TEST_IMPL(utf8_decode1) {
 TEST_IMPL(utf8_decode1_overrun) {
   const char* p;
   char b[1];
+  char c[1];
 
   /* Single byte. */
   p = b;
@@ -112,6 +113,10 @@ TEST_IMPL(utf8_decode1_overrun) {
   ASSERT_EQ((unsigned) -1, uv__utf8_decode1(&p, b + 1));
   ASSERT_EQ(p, b + 1);
 
+  b[0] = 0x7F;
+  ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 0, c, c + 1));
+  ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 1, c, c + 1));
+
   return 0;
 }
 
@@ -145,8 +150,8 @@ TEST_IMPL(idna_toascii) {
   /* Illegal inputs. */
   F("\xC0\x80\xC1\x80", UV_EINVAL);  /* Overlong UTF-8 sequence. */
   F("\xC0\x80\xC1\x80.com", UV_EINVAL);  /* Overlong UTF-8 sequence. */
+  F("", UV_EINVAL);
   /* No conversion. */
-  T("", "");
   T(".", ".");
   T(".com", ".com");
   T("example", "example");
