From fe0f015c5159633127e268ebfc5db121883bc35c Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Wed, 18 Mar 2015 19:20:23 +0100 Subject: [PATCH] src: fix crypto bio integer wraparound on 32 bits Fix a bug where a size_t was negated and passed to a function that takes an int64_t. It works by accident when sizeof(size_t) == sizeof(int64_t) but it causes the value to underflow when size_t is a 32 bits type. v8::Isolate::AdjustAmountOfExternalAllocatedMemory() is the function I'm talking about. The goal of that call is to tell V8 that some memory has been freed but due to that underflow, we were actually reporting that we had just allocated gigabytes of memory. It set off a garbage collector frenzy and essentially brought the VM to a standstill. Fixes: https://github.com/iojs/io.js/issues/1188 PR-URL: https://github.com/iojs/io.js/pull/1192 Reviewed-By: Fedor Indutny --- src/node_crypto_bio.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/node_crypto_bio.h b/src/node_crypto_bio.h index 5c38f1baac75a7..c4f2923675e9e2 100644 --- a/src/node_crypto_bio.h +++ b/src/node_crypto_bio.h @@ -107,8 +107,10 @@ class NodeBIO { ~Buffer() { delete[] data_; - if (env_ != nullptr) - env_->isolate()->AdjustAmountOfExternalAllocatedMemory(-len_); + if (env_ != nullptr) { + const int64_t len = static_cast(len_); + env_->isolate()->AdjustAmountOfExternalAllocatedMemory(-len); + } } Environment* env_;