Browse Source

buffer: throw range error before truncating write

The check to determine whether `noAssert` was set to true and thus
whether RangeErrors should be thrown was happening after the write was
truncated to the available size of the buffer. These checks now occur in
the correct order.

Fixes: https://github.com/nodejs/node/issues/5587
PR-URL: https://github.com/nodejs/node/pull/5605
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
process-exit-stdio-flushing
Matt Loring 9 years ago
committed by James M Snell
parent
commit
d3c0d1bb8b
  1. 6
      src/node_buffer.cc
  2. 10
      test/parallel/test-buffer.js

6
src/node_buffer.cc

@ -814,14 +814,14 @@ void WriteFloatGeneric(const FunctionCallbackInfo<Value>& args) {
size_t offset = args[2]->IntegerValue(env->context()).FromMaybe(0);
size_t memcpy_num = sizeof(T);
if (offset + sizeof(T) > ts_obj_length)
memcpy_num = ts_obj_length - offset;
if (should_assert) {
CHECK_NOT_OOB(offset + memcpy_num >= memcpy_num);
CHECK_NOT_OOB(offset + memcpy_num <= ts_obj_length);
}
CHECK_LE(offset + memcpy_num, ts_obj_length);
if (offset + memcpy_num > ts_obj_length)
memcpy_num = ts_obj_length - offset;
union NoAlias {
T val;

10
test/parallel/test-buffer.js

@ -1038,6 +1038,16 @@ assert.throws(function() {
Buffer(0xFFFFFFFFF);
}, RangeError);
// issue GH-5587
assert.throws(function() {
var buf = new Buffer(8);
buf.writeFloatLE(0, 5);
}, RangeError);
assert.throws(function() {
var buf = new Buffer(16);
buf.writeDoubleLE(0, 9);
}, RangeError);
// attempt to overflow buffers, similar to previous bug in array buffers
assert.throws(function() {

Loading…
Cancel
Save