From 2679b62e9155ea7d0849cd9ca5b380675aa29234 Mon Sep 17 00:00:00 2001
From: Ryuhei Shima <65934663+islandryu@users.noreply.github.com>
Date: Thu, 15 Jan 2026 09:38:09 +0900
Subject: [PATCH] zlib: validate write_result array length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: https://github.com/nodejs/node/issues/61286
PR-URL: https://github.com/nodejs/node/pull/61342
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>
---
 src/node_zlib.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/node_zlib.cc b/src/node_zlib.cc
index 726e7e2d4e8e85..d0077c282ba193 100644
--- a/src/node_zlib.cc
+++ b/src/node_zlib.cc
@@ -736,6 +736,7 @@ class ZlibStream final : public CompressionStream<ZlibContext> {
 
     CHECK(args[4]->IsUint32Array());
     Local<Uint32Array> array = args[4].As<Uint32Array>();
+    CHECK_GE(array->Length(), 2);
     Local<ArrayBuffer> ab = array->Buffer();
     uint32_t* write_result = static_cast<uint32_t*>(ab->Data());
 
@@ -809,6 +810,7 @@ class BrotliCompressionStream final :
     CHECK(args.Length() == 3 && "init(params, writeResult, writeCallback)");
 
     CHECK(args[1]->IsUint32Array());
+    CHECK_GE(args[1].As<Uint32Array>()->Length(), 2);
     uint32_t* write_result = reinterpret_cast<uint32_t*>(Buffer::Data(args[1]));
 
     CHECK(args[2]->IsFunction());
@@ -890,6 +892,7 @@ class ZstdStream final : public CompressionStream<CompressionContext> {
     ASSIGN_OR_RETURN_UNWRAP(&wrap, args.This());
 
     CHECK(args[2]->IsUint32Array());
+    CHECK_GE(args[2].As<Uint32Array>()->Length(), 2);
     uint32_t* write_result = reinterpret_cast<uint32_t*>(Buffer::Data(args[2]));
 
     CHECK(args[3]->IsFunction());