buffer: reject negative SlowBuffer offsets

Reject negative offsets in SlowBuffer::MakeFastBuffer(), it allows
the creation of buffers that point to arbitrary addresses.

Reported by Trevor Norris.

1 files changed, 13 insertions, 0 deletions

diff --git a/src/node_buffer.cc b/src/node_buffer.cc
index 98dfa5e000..4a6e836653 100644
--- a/src/node_buffer.cc
+++ b/src/node_buffer.cc
@@ -708,6 +708,19 @@ Handle<Value> Buffer::MakeFastBuffer(const Arguments &args) {
   uint32_t offset = args[2]->Uint32Value();
   uint32_t length = args[3]->Uint32Value();
 
+  if (offset > buffer->length_) {
+    return ThrowRangeError("offset out of range");
+  }
+
+  if (offset + length > buffer->length_) {
+    return ThrowRangeError("length out of range");
+  }
+
+  // Check for wraparound. Safe because offset and length are unsigned.
+  if (offset + length < offset) {
+    return ThrowRangeError("offset or length out of range");
+  }
+
   fast_buffer->SetIndexedPropertiesToExternalArrayData(buffer->data_ + offset,
                                                        kExternalUnsignedByteArray,
                                                        length);