mirrors/nodejs
mirrors/nodejs
0
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-12-01 16:10:02 +01:00
Code Issues Releases Activity

buffer: fix unintended unsigned overflow

Browse Source 
`offset` is user supplied variable and may be bigger than
`ts_obj_length`. There is no need to subtract them and pass along, so
just throw when the subtraction result would overflow.

PR-URL: https://github.com/nodejs/node/pull/7494
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit is contained in:
Fedor Indutny 2016-06-30 03:41:28 -04:00
parent a528d0dd05
commit 46f40cfb4c
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/node_buffer.cc
View File

@ -718,6 +718,9 @@ void StringWrite(const FunctionCallbackInfo<Value>& args) {
size_t max_length;
CHECK_NOT_OOB(ParseArrayIndex(args[1], 0, &offset));
if (offset >= ts_obj_length)
return env->ThrowRangeError("Offset is out of bounds");
CHECK_NOT_OOB(ParseArrayIndex(args[2], ts_obj_length - offset, &max_length));
max_length = MIN(ts_obj_length - offset, max_length);
@ -725,9 +728,6 @@ void StringWrite(const FunctionCallbackInfo<Value>& args) {
if (max_length == 0)
return args.GetReturnValue().Set(0);
if (offset >= ts_obj_length)
return env->ThrowRangeError("Offset is out of bounds");
uint32_t written = StringBytes::Write(env->isolate(),
ts_obj_data + offset,
max_length,