Skip to content

Commit

Permalink
buffer: fix unintended unsigned overflow
Browse files Browse the repository at this point in the history
`offset` is user supplied variable and may be bigger than
`ts_obj_length`. There is no need to subtract them and pass along, so
just throw when the subtraction result would overflow.

PR-URL: #7494
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  • Loading branch information
indutny authored and cjihrig committed Aug 10, 2016
1 parent b3164ae commit 98f51ff
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions src/node_buffer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -718,16 +718,16 @@ void StringWrite(const FunctionCallbackInfo<Value>& args) {
size_t max_length;

CHECK_NOT_OOB(ParseArrayIndex(args[1], 0, &offset));
if (offset >= ts_obj_length)
return env->ThrowRangeError("Offset is out of bounds");

CHECK_NOT_OOB(ParseArrayIndex(args[2], ts_obj_length - offset, &max_length));

max_length = MIN(ts_obj_length - offset, max_length);

if (max_length == 0)
return args.GetReturnValue().Set(0);

if (offset >= ts_obj_length)
return env->ThrowRangeError("Offset is out of bounds");

uint32_t written = StringBytes::Write(env->isolate(),
ts_obj_data + offset,
max_length,
Expand Down

0 comments on commit 98f51ff

Please sign in to comment.