v8: out of bounds copy

Fixes: #54573

Co-authored-by: ronag <ronagy@icloud.com>
Co-authored-by: ramidzkh <ramidzkh@gmail.com>
PR-URL: #55261
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>

Author: 2 people

lib/v8.js

@@ -49,7 +49,6 @@ if (internalBinding('config').hasInspector) {
 }
 
 const assert = require('internal/assert');
-const { copy } = internalBinding('buffer');
 const { inspect } = require('internal/util/inspect');
 const { FastBuffer } = require('internal/buffer');
 const { getValidatedPath } = require('internal/fs/utils');
@@ -368,7 +367,7 @@ class DefaultDeserializer extends Deserializer {
     }
     // Copy to an aligned buffer first.
     const buffer_copy = Buffer.allocUnsafe(byteLength);
-    copy(this.buffer, buffer_copy, 0, byteOffset, byteOffset + byteLength);
+    buffer_copy.set(new Uint8Array(this.buffer.buffer, this.buffer.byteOffset + byteOffset, byteLength));
     return new ctor(buffer_copy.buffer,
                     buffer_copy.byteOffset,
                     byteLength / BYTES_PER_ELEMENT);

test/parallel/test-v8-deserialize-buffer.js

@@ -5,3 +5,7 @@ const v8 = require('v8');
 
 process.on('warning', common.mustNotCall());
 v8.deserialize(v8.serialize(Buffer.alloc(0)));
+v8.deserialize(v8.serialize({ a: new Int32Array(1024) }));
+v8.deserialize(v8.serialize({ b: new Int16Array(8192) }));
+v8.deserialize(v8.serialize({ c: new Uint32Array(1024) }));
+v8.deserialize(v8.serialize({ d: new Uint16Array(8192) }));