diff --git a/src/node_buffer.cc b/src/node_buffer.cc index 4d23c4c283..a4a7ec159d 100644 --- a/src/node_buffer.cc +++ b/src/node_buffer.cc @@ -814,14 +814,14 @@ void WriteFloatGeneric(const FunctionCallbackInfo& args) { size_t offset = args[2]->IntegerValue(env->context()).FromMaybe(0); size_t memcpy_num = sizeof(T); - if (offset + sizeof(T) > ts_obj_length) - memcpy_num = ts_obj_length - offset; if (should_assert) { CHECK_NOT_OOB(offset + memcpy_num >= memcpy_num); CHECK_NOT_OOB(offset + memcpy_num <= ts_obj_length); } - CHECK_LE(offset + memcpy_num, ts_obj_length); + + if (offset + memcpy_num > ts_obj_length) + memcpy_num = ts_obj_length - offset; union NoAlias { T val; diff --git a/test/parallel/test-buffer.js b/test/parallel/test-buffer.js index 0f424695b5..5f9180aadb 100644 --- a/test/parallel/test-buffer.js +++ b/test/parallel/test-buffer.js @@ -1038,6 +1038,16 @@ assert.throws(function() { Buffer(0xFFFFFFFFF); }, RangeError); +// issue GH-5587 +assert.throws(function() { + var buf = new Buffer(8); + buf.writeFloatLE(0, 5); +}, RangeError); +assert.throws(function() { + var buf = new Buffer(16); + buf.writeDoubleLE(0, 9); +}, RangeError); + // attempt to overflow buffers, similar to previous bug in array buffers assert.throws(function() {