fix(security): fixed the possible overflow related issue

SantiagoDePolonia · SantiagoDePolonia · commit 17666633e7e2 · 2026-03-23T14:35:55.000+01:00
diff --git a/internal/streaming/observed_sse_stream.go b/internal/streaming/observed_sse_stream.go
@@ -317,9 +317,8 @@ func joinedSuffix(prefix, data []byte, n int) []byte {
 	}
 
 	needPrefix := min(n-len(data), len(prefix))
-
-	result := make([]byte, needPrefix+len(data))
-	copy(result, prefix[len(prefix)-needPrefix:])
-	copy(result[needPrefix:], data)
+	result := make([]byte, 0, n)
+	result = append(result, prefix[len(prefix)-needPrefix:]...)
+	result = append(result, data...)
 	return result
 }
diff --git a/internal/streaming/observed_sse_stream_test.go b/internal/streaming/observed_sse_stream_test.go
@@ -289,3 +289,49 @@ func TestObservedSSEStream_ParsesCRLFBufferedEventsOnClose(t *testing.T) {
 		t.Fatal("observer was not closed")
 	}
 }
+
+func TestJoinedSuffix(t *testing.T) {
+	tests := []struct {
+		name   string
+		prefix []byte
+		data   []byte
+		n      int
+		want   []byte
+	}{
+		{
+			name: "returns nil for non-positive length",
+			data: []byte("abc"),
+			n:    0,
+			want: nil,
+		},
+		{
+			name: "returns suffix from data when data is long enough",
+			data: []byte("abcdef"),
+			n:    3,
+			want: []byte("def"),
+		},
+		{
+			name:   "combines prefix tail and data",
+			prefix: []byte("abcd"),
+			data:   []byte("ef"),
+			n:      4,
+			want:   []byte("cdef"),
+		},
+		{
+			name:   "uses available prefix bytes only",
+			prefix: []byte("ab"),
+			data:   []byte("cd"),
+			n:      5,
+			want:   []byte("abcd"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := joinedSuffix(tt.prefix, tt.data, tt.n)
+			if !bytes.Equal(got, tt.want) {
+				t.Fatalf("joinedSuffix() = %q, want %q", got, tt.want)
+			}
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -317,9 +317,8 @@ func joinedSuffix(prefix, data []byte, n int) []byte {`
`317`	`317`	`}`
`318`	`318`
`319`	`319`	`needPrefix := min(n-len(data), len(prefix))`
`320`		`-`
`321`		`- result := make([]byte, needPrefix+len(data))`
`322`		`- copy(result, prefix[len(prefix)-needPrefix:])`
`323`		`- copy(result[needPrefix:], data)`
	`320`	`+ result := make([]byte, 0, n)`
	`321`	`+ result = append(result, prefix[len(prefix)-needPrefix:]...)`
	`322`	`+ result = append(result, data...)`
`324`	`323`	`return result`
`325`	`324`	`}`