fix: backport fix for GHSA-w5hq-g745-h8pq

Author: broofa

package-lock.json

@@ -158,6 +158,15 @@ describe('v35', () => {
     assert.throws(() => v3('hello.example.com', null, new Uint8Array(16)));
   });
 
+  test('v3 throws RangeError for out-of-range indexes', () => {
+    const buf15 = new Uint8Array(15);
+    const buf30 = new Uint8Array(30);
+
+    assert.throws(() => v3('hello.example.com', v3.DNS, buf15), RangeError);
+    assert.throws(() => v3('hello.example.com', v3.DNS, buf30, -1), RangeError);
+    assert.throws(() => v3('hello.example.com', v3.DNS, buf30, 15), RangeError);
+  });
+
   test('v5', () => {
     // Expect to get the same results as http://tools.adjet.org/uuid-v5
     assert.strictEqual(v5('hello.example.com', v5.DNS), 'fdda765f-fc57-5604-a269-52a7df8164ec');

src/test/v35.test.ts

@@ -87,4 +87,13 @@ describe('v6', () => {
     const id = v6ToV1(V6_ID);
     assert.equal(id, V1_ID);
   });
+
+  test('throws RangeError for out-of-range indexes', () => {
+    const buf15 = new Uint8Array(15);
+    const buf30 = new Uint8Array(30);
+
+    assert.throws(() => v6({}, buf15), RangeError);
+    assert.throws(() => v6({}, buf30, -1), RangeError);
+    assert.throws(() => v6({}, buf30, 15), RangeError);
+  });
 });

src/test/v6.test.ts

@@ -1,6 +1,6 @@
-import { UUIDTypes } from './types.js';
 import parse from './parse.js';
 import { unsafeStringify } from './stringify.js';
+import { UUIDTypes } from './types.js';
 
 export function stringToBytes(str: string) {
   // TODO: Use TextEncoder (see https://stackoverflow.com/a/48762658/109538)
@@ -53,6 +53,10 @@ export default function v35<TBuf extends Uint8Array = Uint8Array>(
   if (buf) {
     offset = offset || 0;
 
+    if (offset < 0 || offset + 16 > buf.length) {
+      throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
+    }
+
     for (let i = 0; i < 16; ++i) {
       buf[offset + i] = bytes[i];
     }

src/v35.ts

@@ -1,5 +1,5 @@
-import { UUIDTypes, Version6Options } from './types.js';
 import { unsafeStringify } from './stringify.js';
+import { UUIDTypes, Version6Options } from './types.js';
 import v1 from './v1.js';
 import v1ToV6 from './v1ToV6.js';
 
@@ -27,6 +27,10 @@ function v6<TBuf extends Uint8Array = Uint8Array>(
 
   // Return as a byte array if requested
   if (buf) {
+    if (offset < 0 || offset + 16 > buf.length) {
+      throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
+    }
+
     for (let i = 0; i < 16; i++) {
       buf[offset + i] = bytes[i];
     }