fix(security): prevent from stack buffer overflow in fromBigInt (CVE-2025-3194)#64
Open
ja88a wants to merge 1 commit intono2chem:masterfrom
Open
fix(security): prevent from stack buffer overflow in fromBigInt (CVE-2025-3194)#64ja88a wants to merge 1 commit intono2chem:masterfrom
ja88a wants to merge 1 commit intono2chem:masterfrom
Conversation
The fits_in_stack check in fromBigInt compared word_count bytes against BUFFER_STACK_SIZE (an element count, not a byte count). When a small BigInt was written to a large non-64-aligned buffer, the check would incorrectly choose the stack buffer while memset wrote the full byte_width + overflow_len, overflowing the stack allocation. Changes: - Rename BUFFER_STACK_SIZE to BUFFER_STACK_WORDS, add BUFFER_STACK_BYTES so both constants express their units unambiguously - In fromBigInt: compare actual required allocation (byte_width + overflow_len) against BUFFER_STACK_BYTES - In toBigInt: apply the same BUFFER_STACK_BYTES constant for consistency - Add 8 regression tests for non-aligned buffer widths of 33 and 257 bytes
ja88a
changed the title
ja88a
changed the title
ja88a
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bug fix for CVE-2025-3194 bigint-buffer Vulnerable to Buffer Overflow via toBigIntLE() Function
Fixes the high-severity stack buffer overflow vulnerability in the native
fromBigIntfunction (SNYK-JS-BIGINTBUFFER-3364597).An improved version of previously submitted fix in PR #63
BUFFER_STACK_SIZE(32) toBUFFER_STACK_WORDS(32) +BUFFER_STACK_BYTES(256) to eliminate the element-vs-byte unit ambiguity that caused the bugfromBigInt: Changedfits_in_stackto compare the actual allocation size (byte_width + overflow_len) againstBUFFER_STACK_BYTESinstead of comparingword_count * 8against an element counttoBigInt: Updated to use the same byte-based constant for consistencyImpact
This package is a transitive dependency of many Solana ecosystem libraries. The vulnerability is flagged as high severity and blocks security audits for downstream consumers.
Root cause
The
fits_in_stackcheck infromBigIntcomparedword_count * 8(the BigInt's word size in bytes) againstBUFFER_STACK_SIZE(32 — an element count, not a byte count) to decide whether to use a stack-allocated temporary buffer ormalloc. The subsequentmemsetandnapi_get_value_bigint_wordsalways operated onbyte_width + overflow_lenbytes (the output buffer size rounded up to 8-byte alignment).When a small BigInt was converted to a large non-64-aligned buffer (e.g.
toBufferBE(3n, 257)), the check passed because the BigInt's word count was small, butmemsetwrote 264 bytes into a 256-byte stack buffer — a classic stack buffer overflow.Fix
fromBigInt: Compare the actual required allocation size (byte_width + overflow_len) against the stack buffer's capacity in bytes.BUFFER_STACK_SIZE→BUFFER_STACK_WORDS+ newBUFFER_STACK_BYTES(= WORDS * sizeof(uint64_t)), eliminating the ambiguous element-vs-byte unit mismatch that caused the original bug and existed intoBigIntas well.toBigInt: Updated to useBUFFER_STACK_BYTESfor consistency (was previously safe due touint8_t[]declaration, but the mixed units were misleading).Tests
8 new regression tests in the
Buffer overflow regressionsuite:All 46 tests pass (node). Browser tests are skipped as they fail on unmodified master due to a pre-existing webpack/OpenSSL incompatibility with modern Node versions.