From 2fdeb7e9327e84df657bc146fd73aa269d05dfc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ole=20Andr=C3=A9=20Vadla=20Ravn=C3=A5s?= Date: Tue, 17 Mar 2015 13:33:55 -0600 Subject: [PATCH] uv: fix size calculation in select() fallback Original commit message: darwin: fix size calculation in select() fallback Apple's `fd_set` stores its bits in an array of 32-bit integers, which means `FD_ISSET()` may read out of bounds if we allocate storage at byte granularity. There's also a chance that the `select()` call could corrupt the heap, although I didn't investigate that. This issue was discovered by LLVM's AddressSanitizer which caught `FD_ISSET()` trying to read out of bounds. Ref: https://github.com/libuv/libuv/pull/241 Reviewed-By: Julien Gilli PR-URL: https://github.com/joyent/node/pull/9179 --- deps/uv/src/unix/internal.h | 3 +++ deps/uv/src/unix/stream.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/deps/uv/src/unix/internal.h b/deps/uv/src/unix/internal.h index 101dc74549..31db5e29ea 100644 --- a/deps/uv/src/unix/internal.h +++ b/deps/uv/src/unix/internal.h @@ -55,6 +55,9 @@ #define ACCESS_ONCE(type, var) \ (*(volatile type*) &(var)) +#define ROUND_UP(a, b) \ + ((a) % (b) ? ((a) + (b)) - ((a) % (b)) : (a)) + #define UNREACHABLE() \ do { \ assert(0 && "unreachable code"); \ diff --git a/deps/uv/src/unix/stream.c b/deps/uv/src/unix/stream.c index 518a2fce0f..7de1d82151 100644 --- a/deps/uv/src/unix/stream.c +++ b/deps/uv/src/unix/stream.c @@ -301,7 +301,7 @@ int uv__stream_try_select(uv_stream_t* stream, int* fd) { if (fds[1] > max_fd) max_fd = fds[1]; - sread_sz = (max_fd + NBBY) / NBBY; + sread_sz = ROUND_UP(max_fd + 1, sizeof(uint32_t) * NBBY) / NBBY; swrite_sz = sread_sz; s = malloc(sizeof(*s) + sread_sz + swrite_sz);