buffer: fix offset checks

Fixed offset checks in Buffer.readInt32LE() and Buffer.readInt32BE()
functions.

diff --git a/lib/buffer.js b/lib/buffer.js
index 3378dcebfcb2694c29ca8fe28940934f03143c4f..c75dbc93a8a5c70bc15d72448ee1bfaf7cc1442e 100644 (file)
--- a/lib/buffer.js
+++ b/lib/buffer.js
@@ -737,14 +737,14 @@ function readInt32(buffer, offset, isBigEndian) {
 
 Buffer.prototype.readInt32LE = function(offset, noAssert) {
   if (!noAssert)
-    checkOffset(offset, 2, this.length);
+    checkOffset(offset, 4, this.length);
   return readInt32(this, offset, false);
 };
 
 
 Buffer.prototype.readInt32BE = function(offset, noAssert) {
   if (!noAssert)
-    checkOffset(offset, 2, this.length);
+    checkOffset(offset, 4, this.length);
   return readInt32(this, offset, true);
 };
 

diff --git a/test/simple/test-buffer.js b/test/simple/test-buffer.js
index b0ab6ed53c7be5d71882347f85cf9b485805e92f..cd9096de5c8e9c666465abaef300ebd4661555dc 100644 (file)
--- a/test/simple/test-buffer.js
+++ b/test/simple/test-buffer.js
@@ -908,6 +908,39 @@ assert.throws(function() {
   buf.writeFloatLE(0.0, -1);
 }, /offset is not uint/);
 
+// offset checks
+var buf = new Buffer(0);
+
+assert.throws(function() { buf.readUInt8(0); }, /beyond buffer length/);
+assert.throws(function() { buf.readInt8(0); }, /beyond buffer length/);
+
+[16, 32].forEach(function(bits) {
+  var buf = new Buffer(bits / 8 - 1);
+
+  assert.throws(
+    function() { buf['readUInt' + bits + 'BE'](0); },
+    /beyond buffer length/,
+    'readUInt' + bits + 'BE'
+  );
+
+  assert.throws(
+    function() { buf['readUInt' + bits + 'LE'](0); },
+    /beyond buffer length/,
+    'readUInt' + bits + 'LE'
+  );
+
+  assert.throws(
+    function() { buf['readInt' + bits + 'BE'](0); },
+    /beyond buffer length/,
+    'readInt' + bits + 'BE()'
+  );
+
+  assert.throws(
+    function() { buf['readInt' + bits + 'LE'](0); },
+    /beyond buffer length/,
+    'readInt' + bits + 'LE()'
+  );
+});
 
 // SlowBuffer sanity checks.
 assert.throws(function() {