buffer: check byteLength in readInt(B|L)E

The 'byteLength' argument should be required and of type 'number'.
It should have a value between 1 and 6.

PR-URL: https://github.com/nodejs/node/pull/11146
Fixes: https://github.com/nodejs/node/issues/10515
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

1 files changed, 24 insertions, 6 deletions

diff --git a/lib/buffer.js b/lib/buffer.js
index 180bfe6bad..cd08453c24 100644
--- a/lib/buffer.js
+++ b/lib/buffer.js
@@ -200,10 +200,11 @@ Buffer.from = function from(value, encodingOrOffset, length) {
     );
   }
 
-  if (typeof value === 'number')
+  if (typeof value === 'number') {
     throw new errors.TypeError(
       'ERR_INVALID_ARG_TYPE', 'value', 'not number', value
     );
+  }
 
   const valueOf = value.valueOf && value.valueOf();
   if (valueOf !== null && valueOf !== undefined && valueOf !== value)
@@ -447,10 +448,11 @@ Buffer[kIsEncodingSymbol] = Buffer.isEncoding;
 
 Buffer.concat = function concat(list, length) {
   var i;
-  if (!Array.isArray(list))
+  if (!Array.isArray(list)) {
     throw new errors.TypeError(
       'ERR_INVALID_ARG_TYPE', 'list', ['Array', 'Buffer', 'Uint8Array']
     );
+  }
 
   if (list.length === 0)
     return new FastBuffer();
@@ -467,10 +469,11 @@ Buffer.concat = function concat(list, length) {
   var pos = 0;
   for (i = 0; i < list.length; i++) {
     var buf = list[i];
-    if (!isUint8Array(buf))
+    if (!isUint8Array(buf)) {
       throw new errors.TypeError(
         'ERR_INVALID_ARG_TYPE', 'list', ['Array', 'Buffer', 'Uint8Array']
       );
+    }
     _copy(buf, buffer, pos);
     pos += buf.length;
   }
@@ -1024,6 +1027,14 @@ function checkOffset(offset, ext, length) {
     throw new errors.RangeError('ERR_INDEX_OUT_OF_RANGE');
 }
 
+function checkByteLength(byteLength) {
+  if (byteLength < 1 || byteLength > 6) {
+    throw new errors.RangeError('ERR_OUT_OF_RANGE',
+                                'byteLength',
+                                '>= 1 and <= 6');
+  }
+}
+
 
 Buffer.prototype.readUIntLE =
   function readUIntLE(offset, byteLength, noAssert) {
@@ -1109,8 +1120,11 @@ Buffer.prototype.readUInt32BE = function readUInt32BE(offset, noAssert) {
 Buffer.prototype.readIntLE = function readIntLE(offset, byteLength, noAssert) {
   offset = offset >>> 0;
   byteLength = byteLength >>> 0;
-  if (!noAssert)
+
+  if (!noAssert) {
+    checkByteLength(byteLength);
     checkOffset(offset, byteLength, this.length);
+  }
 
   var val = this[offset];
   var mul = 1;
@@ -1129,8 +1143,11 @@ Buffer.prototype.readIntLE = function readIntLE(offset, byteLength, noAssert) {
 Buffer.prototype.readIntBE = function readIntBE(offset, byteLength, noAssert) {
   offset = offset >>> 0;
   byteLength = byteLength >>> 0;
-  if (!noAssert)
+
+  if (!noAssert) {
+    checkByteLength(byteLength);
     checkOffset(offset, byteLength, this.length);
+  }
 
   var i = byteLength;
   var mul = 1;
@@ -1612,9 +1629,10 @@ if (process.binding('config').hasIntl) {
   // Transcodes the Buffer from one encoding to another, returning a new
   // Buffer instance.
   transcode = function transcode(source, fromEncoding, toEncoding) {
-    if (!isUint8Array(source))
+    if (!isUint8Array(source)) {
       throw new errors.TypeError('ERR_INVALID_ARG_TYPE', 'source',
                                  ['Buffer', 'Uint8Array'], source);
+    }
     if (source.length === 0) return Buffer.alloc(0);
 
     fromEncoding = normalizeEncoding(fromEncoding) || fromEncoding;