From 96ede8cc9b946e23482f855b19428868cab6021a Mon Sep 17 00:00:00 2001
From: koichik <koichik@improvement.jp>
Date: Thu, 1 Sep 2011 16:48:35 +0900
Subject: [PATCH] buffer: Avoid overrun with 'binary' encoding.

Fixes #1624.
---
 src/node_buffer.cc         | 6 ++++--
 test/simple/test-buffer.js | 6 ++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/node_buffer.cc b/src/node_buffer.cc
index 75573920e0..961edfcae9 100644
--- a/src/node_buffer.cc
+++ b/src/node_buffer.cc
@@ -667,9 +667,11 @@ Handle<Value> Buffer::BinaryWrite(const Arguments &args) {
 
   char *p = (char*)buffer->data_ + offset;
 
-  size_t towrite = MIN((unsigned long) s->Length(), buffer->length_ - offset);
+  size_t max_length = args[2]->IsUndefined() ? buffer->length_ - offset
+                                             : args[2]->Uint32Value();
+  max_length = MIN(s->Length(), MIN(buffer->length_ - offset, max_length));
 
-  int written = DecodeWrite(p, towrite, s, BINARY);
+  int written = DecodeWrite(p, max_length, s, BINARY);
   return scope.Close(Integer::New(written));
 }
 
diff --git a/test/simple/test-buffer.js b/test/simple/test-buffer.js
index 6b35d726f6..c24dbc6433 100644
--- a/test/simple/test-buffer.js
+++ b/test/simple/test-buffer.js
@@ -553,3 +553,9 @@ assert.equal(written, 9);
 written = buf.write('あいう\0'); // 3bytes * 3 + 1byte
 assert.equal(written, 10);
 
+// test for buffer overrun
+buf = new Buffer([0, 0, 0, 0, 0]); // length: 5
+var sub = buf.slice(0, 4);         // length: 4
+written = sub.write('12345', 'binary');
+assert.equal(written, 4);
+assert.equal(buf[4], 0);