From 9fea7eae9a48c6c2e8fb75204a4e5c60e700a3e2 Mon Sep 17 00:00:00 2001
From: Rich Trott <rtrott@gmail.com>
Date: Tue, 2 Jan 2018 16:10:57 -0800
Subject: [PATCH] buffer: check byteLength in readUInt(B|L)E
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-URL: https://github.com/nodejs/node/pull/11146
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
---
 benchmark/buffers/buffer-read-with-byteLength.js |  4 +++-
 lib/buffer.js                                    |  8 ++++++--
 test/parallel/test-buffer-read.js                | 10 ++++++++--
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/benchmark/buffers/buffer-read-with-byteLength.js b/benchmark/buffers/buffer-read-with-byteLength.js
index 013947da9dd485..2a659c1bec5e19 100644
--- a/benchmark/buffers/buffer-read-with-byteLength.js
+++ b/benchmark/buffers/buffer-read-with-byteLength.js
@@ -2,8 +2,10 @@
 const common = require('../common.js');
 
 const types = [
-  'IntLE',
   'IntBE',
+  'IntLE',
+  'UIntBE',
+  'UIntLE'
 ];
 
 const bench = common.createBenchmark(main, {
diff --git a/lib/buffer.js b/lib/buffer.js
index cd08453c243561..03f0cb3377ea96 100644
--- a/lib/buffer.js
+++ b/lib/buffer.js
@@ -1040,8 +1040,10 @@ Buffer.prototype.readUIntLE =
   function readUIntLE(offset, byteLength, noAssert) {
     offset = offset >>> 0;
     byteLength = byteLength >>> 0;
-    if (!noAssert)
+    if (!noAssert) {
+      checkByteLength(byteLength);
       checkOffset(offset, byteLength, this.length);
+    }
 
     var val = this[offset];
     var mul = 1;
@@ -1057,8 +1059,10 @@ Buffer.prototype.readUIntBE =
   function readUIntBE(offset, byteLength, noAssert) {
     offset = offset >>> 0;
     byteLength = byteLength >>> 0;
-    if (!noAssert)
+    if (!noAssert) {
+      checkByteLength(byteLength);
       checkOffset(offset, byteLength, this.length);
+    }
 
     var val = this[offset + --byteLength];
     var mul = 1;
diff --git a/test/parallel/test-buffer-read.js b/test/parallel/test-buffer-read.js
index c5b3373cbf23cb..d024a3280333d8 100644
--- a/test/parallel/test-buffer-read.js
+++ b/test/parallel/test-buffer-read.js
@@ -57,8 +57,14 @@ read(buf, 'readUInt32BE', [1], 0xfd48eacf);
 read(buf, 'readUInt32LE', [1], 0xcfea48fd);
 
 // testing basic functionality of readUIntBE() and readUIntLE()
-read(buf, 'readUIntBE', [2, 0], 0xfd);
-read(buf, 'readUIntLE', [2, 0], 0x48);
+read(buf, 'readUIntBE', [2, 2], 0x48ea);
+read(buf, 'readUIntLE', [2, 2], 0xea48);
+
+// invalid byteLength parameter for readUIntBE() and readUIntLE()
+common.expectsError(() => { buf.readUIntBE(2, 0); },
+                    { code: 'ERR_OUT_OF_RANGE' });
+common.expectsError(() => { buf.readUIntLE(2, 7); },
+                    { code: 'ERR_OUT_OF_RANGE' });
 
 // attempt to overflow buffers, similar to previous bug in array buffers
 assert.throws(() => Buffer.allocUnsafe(8).readFloatBE(0xffffffff),