Browse Source

buffer: fix unintended unsigned overflow

`offset` is user supplied variable and may be bigger than
`ts_obj_length`. There is no need to subtract them and pass along, so
just throw when the subtraction result would overflow.

PR-URL: https://github.com/nodejs/node/pull/7494
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
v7.x
Fedor Indutny 9 years ago
parent
commit
46f40cfb4c
  1. 6
      src/node_buffer.cc

6
src/node_buffer.cc

@ -718,6 +718,9 @@ void StringWrite(const FunctionCallbackInfo<Value>& args) {
size_t max_length; size_t max_length;
CHECK_NOT_OOB(ParseArrayIndex(args[1], 0, &offset)); CHECK_NOT_OOB(ParseArrayIndex(args[1], 0, &offset));
if (offset >= ts_obj_length)
return env->ThrowRangeError("Offset is out of bounds");
CHECK_NOT_OOB(ParseArrayIndex(args[2], ts_obj_length - offset, &max_length)); CHECK_NOT_OOB(ParseArrayIndex(args[2], ts_obj_length - offset, &max_length));
max_length = MIN(ts_obj_length - offset, max_length); max_length = MIN(ts_obj_length - offset, max_length);
@ -725,9 +728,6 @@ void StringWrite(const FunctionCallbackInfo<Value>& args) {
if (max_length == 0) if (max_length == 0)
return args.GetReturnValue().Set(0); return args.GetReturnValue().Set(0);
if (offset >= ts_obj_length)
return env->ThrowRangeError("Offset is out of bounds");
uint32_t written = StringBytes::Write(env->isolate(), uint32_t written = StringBytes::Write(env->isolate(),
ts_obj_data + offset, ts_obj_data + offset,
max_length, max_length,

Loading…
Cancel
Save