From 98f51ffeb6bcf79f896aa4ee100ea25866f20f01 Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Thu, 30 Jun 2016 03:41:28 -0400 Subject: [PATCH] buffer: fix unintended unsigned overflow `offset` is user supplied variable and may be bigger than `ts_obj_length`. There is no need to subtract them and pass along, so just throw when the subtraction result would overflow. PR-URL: https://github.com/nodejs/node/pull/7494 Reviewed-By: Ben Noordhuis --- src/node_buffer.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/node_buffer.cc b/src/node_buffer.cc index fa45d28b8f..eda51cac20 100644 --- a/src/node_buffer.cc +++ b/src/node_buffer.cc @@ -718,6 +718,9 @@ void StringWrite(const FunctionCallbackInfo& args) { size_t max_length; CHECK_NOT_OOB(ParseArrayIndex(args[1], 0, &offset)); + if (offset >= ts_obj_length) + return env->ThrowRangeError("Offset is out of bounds"); + CHECK_NOT_OOB(ParseArrayIndex(args[2], ts_obj_length - offset, &max_length)); max_length = MIN(ts_obj_length - offset, max_length); @@ -725,9 +728,6 @@ void StringWrite(const FunctionCallbackInfo& args) { if (max_length == 0) return args.GetReturnValue().Set(0); - if (offset >= ts_obj_length) - return env->ThrowRangeError("Offset is out of bounds"); - uint32_t written = StringBytes::Write(env->isolate(), ts_obj_data + offset, max_length,