buffer: fix unintended unsigned overflow

indutny · indutny · commit 46f40cfb4c3a · 2016-07-11T02:23:11.000-04:00
`offset` is user supplied variable and may be bigger than `ts_obj_length`. There is no need to subtract them and pass along, so just throw when the subtraction result would overflow. PR-URL: #7494 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
diff --git a/src/node_buffer.cc b/src/node_buffer.cc
@@ -718,16 +718,16 @@ void StringWrite(const FunctionCallbackInfo<Value>& args) {
   size_t max_length;
 
   CHECK_NOT_OOB(ParseArrayIndex(args[1], 0, &offset));
+  if (offset >= ts_obj_length)
+    return env->ThrowRangeError("Offset is out of bounds");
+
   CHECK_NOT_OOB(ParseArrayIndex(args[2], ts_obj_length - offset, &max_length));
 
   max_length = MIN(ts_obj_length - offset, max_length);
 
   if (max_length == 0)
     return args.GetReturnValue().Set(0);
 
-  if (offset >= ts_obj_length)
-    return env->ThrowRangeError("Offset is out of bounds");
-
   uint32_t written = StringBytes::Write(env->isolate(),
                                         ts_obj_data + offset,
                                         max_length,
