diff options
author | Sebastian Van Sande <sebastian@vansande.org> | 2017-02-03 16:05:28 +0100 |
---|---|---|
committer | Ruben Bridgewater <ruben@bridgewater.de> | 2018-01-05 12:37:38 +0100 |
commit | d964ffeec356167038b4060c867b355d5fea6987 (patch) | |
tree | 7cb701db6aa78aabf1739ee28e1ba240ad80b1db /lib/buffer.js | |
parent | a9e422eee2b32bfed38aa78845305aac06720712 (diff) | |
download | android-node-v8-d964ffeec356167038b4060c867b355d5fea6987.tar.gz android-node-v8-d964ffeec356167038b4060c867b355d5fea6987.tar.bz2 android-node-v8-d964ffeec356167038b4060c867b355d5fea6987.zip |
buffer: check byteLength in readInt(B|L)E
The 'byteLength' argument should be required and of type 'number'.
It should have a value between 1 and 6.
PR-URL: https://github.com/nodejs/node/pull/11146
Fixes: https://github.com/nodejs/node/issues/10515
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michaƫl Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Diffstat (limited to 'lib/buffer.js')
-rw-r--r-- | lib/buffer.js | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/lib/buffer.js b/lib/buffer.js index 180bfe6bad..cd08453c24 100644 --- a/lib/buffer.js +++ b/lib/buffer.js @@ -200,10 +200,11 @@ Buffer.from = function from(value, encodingOrOffset, length) { ); } - if (typeof value === 'number') + if (typeof value === 'number') { throw new errors.TypeError( 'ERR_INVALID_ARG_TYPE', 'value', 'not number', value ); + } const valueOf = value.valueOf && value.valueOf(); if (valueOf !== null && valueOf !== undefined && valueOf !== value) @@ -447,10 +448,11 @@ Buffer[kIsEncodingSymbol] = Buffer.isEncoding; Buffer.concat = function concat(list, length) { var i; - if (!Array.isArray(list)) + if (!Array.isArray(list)) { throw new errors.TypeError( 'ERR_INVALID_ARG_TYPE', 'list', ['Array', 'Buffer', 'Uint8Array'] ); + } if (list.length === 0) return new FastBuffer(); @@ -467,10 +469,11 @@ Buffer.concat = function concat(list, length) { var pos = 0; for (i = 0; i < list.length; i++) { var buf = list[i]; - if (!isUint8Array(buf)) + if (!isUint8Array(buf)) { throw new errors.TypeError( 'ERR_INVALID_ARG_TYPE', 'list', ['Array', 'Buffer', 'Uint8Array'] ); + } _copy(buf, buffer, pos); pos += buf.length; } @@ -1024,6 +1027,14 @@ function checkOffset(offset, ext, length) { throw new errors.RangeError('ERR_INDEX_OUT_OF_RANGE'); } +function checkByteLength(byteLength) { + if (byteLength < 1 || byteLength > 6) { + throw new errors.RangeError('ERR_OUT_OF_RANGE', + 'byteLength', + '>= 1 and <= 6'); + } +} + Buffer.prototype.readUIntLE = function readUIntLE(offset, byteLength, noAssert) { @@ -1109,8 +1120,11 @@ Buffer.prototype.readUInt32BE = function readUInt32BE(offset, noAssert) { Buffer.prototype.readIntLE = function readIntLE(offset, byteLength, noAssert) { offset = offset >>> 0; byteLength = byteLength >>> 0; - if (!noAssert) + + if (!noAssert) { + checkByteLength(byteLength); checkOffset(offset, byteLength, this.length); + } var val = this[offset]; var mul = 1; @@ -1129,8 +1143,11 @@ Buffer.prototype.readIntLE = function readIntLE(offset, byteLength, noAssert) { Buffer.prototype.readIntBE = function readIntBE(offset, byteLength, noAssert) { offset = offset >>> 0; byteLength = byteLength >>> 0; - if (!noAssert) + + if (!noAssert) { + checkByteLength(byteLength); checkOffset(offset, byteLength, this.length); + } var i = byteLength; var mul = 1; @@ -1612,9 +1629,10 @@ if (process.binding('config').hasIntl) { // Transcodes the Buffer from one encoding to another, returning a new // Buffer instance. transcode = function transcode(source, fromEncoding, toEncoding) { - if (!isUint8Array(source)) + if (!isUint8Array(source)) { throw new errors.TypeError('ERR_INVALID_ARG_TYPE', 'source', ['Buffer', 'Uint8Array'], source); + } if (source.length === 0) return Buffer.alloc(0); fromEncoding = normalizeEncoding(fromEncoding) || fromEncoding; |