buffer: check byteLength in readUInt(B|L)E

PR-URL: #11146 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
nodejs · Jan 5, 2018 · 9fea7ea · 9fea7ea
1 parent 94d6487
commit 9fea7ea
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 5 deletions.
diff --git a/benchmark/buffers/buffer-read-with-byteLength.js b/benchmark/buffers/buffer-read-with-byteLength.js
@@ -2,8 +2,10 @@
 const common = require('../common.js');
 
 const types = [
-  'IntLE',
   'IntBE',
+  'IntLE',
+  'UIntBE',
+  'UIntLE'
 ];
 
 const bench = common.createBenchmark(main, {

diff --git a/lib/buffer.js b/lib/buffer.js
@@ -1040,8 +1040,10 @@ Buffer.prototype.readUIntLE =
   function readUIntLE(offset, byteLength, noAssert) {
     offset = offset >>> 0;
     byteLength = byteLength >>> 0;
-    if (!noAssert)
+    if (!noAssert) {
+      checkByteLength(byteLength);
       checkOffset(offset, byteLength, this.length);
+    }
 
     var val = this[offset];
     var mul = 1;
@@ -1057,8 +1059,10 @@ Buffer.prototype.readUIntBE =
   function readUIntBE(offset, byteLength, noAssert) {
     offset = offset >>> 0;
     byteLength = byteLength >>> 0;
-    if (!noAssert)
+    if (!noAssert) {
+      checkByteLength(byteLength);
       checkOffset(offset, byteLength, this.length);
+    }
 
     var val = this[offset + --byteLength];
     var mul = 1;

diff --git a/test/parallel/test-buffer-read.js b/test/parallel/test-buffer-read.js
@@ -57,8 +57,14 @@ read(buf, 'readUInt32BE', [1], 0xfd48eacf);
 read(buf, 'readUInt32LE', [1], 0xcfea48fd);
 
 // testing basic functionality of readUIntBE() and readUIntLE()
-read(buf, 'readUIntBE', [2, 0], 0xfd);
-read(buf, 'readUIntLE', [2, 0], 0x48);
+read(buf, 'readUIntBE', [2, 2], 0x48ea);
+read(buf, 'readUIntLE', [2, 2], 0xea48);
+
+// invalid byteLength parameter for readUIntBE() and readUIntLE()
+common.expectsError(() => { buf.readUIntBE(2, 0); },
+                    { code: 'ERR_OUT_OF_RANGE' });
+common.expectsError(() => { buf.readUIntLE(2, 7); },
+                    { code: 'ERR_OUT_OF_RANGE' });
 
 // attempt to overflow buffers, similar to previous bug in array buffers
 assert.throws(() => Buffer.allocUnsafe(8).readFloatBE(0xffffffff),