buffer: fix value check for writeUInt{B,L}E

Fixes: #3497
PR-URL: #3500
Reviewed-By: Ben Noordhuis <[email protected]>

Author: trevnorris

lib/buffer.js

@@ -832,8 +832,10 @@ Buffer.prototype.writeUIntLE = function(value, offset, byteLength, noAssert) {
   value = +value;
   offset = offset >>> 0;
   byteLength = byteLength >>> 0;
-  if (!noAssert)
-    checkInt(this, value, offset, byteLength, Math.pow(2, 8 * byteLength), 0);
+  if (!noAssert) {
+    const maxBytes = Math.pow(2, 8 * byteLength) - 1;
+    checkInt(this, value, offset, byteLength, maxBytes, 0);
+  }
 
   var mul = 1;
   var i = 0;
@@ -849,8 +851,10 @@ Buffer.prototype.writeUIntBE = function(value, offset, byteLength, noAssert) {
   value = +value;
   offset = offset >>> 0;
   byteLength = byteLength >>> 0;
-  if (!noAssert)
-    checkInt(this, value, offset, byteLength, Math.pow(2, 8 * byteLength), 0);
+  if (!noAssert) {
+    const maxBytes = Math.pow(2, 8 * byteLength) - 1;
+    checkInt(this, value, offset, byteLength, maxBytes, 0);
+  }
 
   var i = byteLength - 1;
   var mul = 1;

test/parallel/test-writeuint.js

@@ -122,6 +122,25 @@ function test32(clazz) {
 }
 
 
+function testUint(clazz) {
+  const data = new clazz(8);
+  var val = 1;
+
+  // Test 0 to 5 bytes.
+  for (var i = 0; i <= 5; i++) {
+    const errmsg = `byteLength: ${i}`;
+    ASSERT.throws(function() {
+      data.writeUIntBE(val, 0, i);
+    }, /value is out of bounds/, errmsg);
+    ASSERT.throws(function() {
+      data.writeUIntLE(val, 0, i);
+    }, /value is out of bounds/, errmsg);
+    val *= 0x100;
+  }
+}
+
+
 test8(Buffer);
 test16(Buffer);
 test32(Buffer);
+testUint(Buffer);