buffer: fix Buffer.utf8Write fails when length exceeds integer range

Author: kylo5aby

src/node_buffer.cc

@@ -724,6 +724,9 @@ void StringWrite(const FunctionCallbackInfo<Value>& args) {
                                           &max_length));
 
   max_length = std::min(ts_obj_length - offset, max_length);
+  if (max_length > static_cast<size_t>(v8::String::kMaxLength)) {
+      ThrowErrStringTooLong(env->isolate());
+  }
 
   if (max_length == 0)
     return args.GetReturnValue().Set(0);

test/parallel/test-buffer-alloc.js

@@ -8,6 +8,7 @@ const {
   SlowBuffer,
   kMaxLength,
 } = require('buffer');
+const kStringMaxLength = require('buffer').constants.MAX_STRING_LENGTH;
 
 // Verify the maximum Uint8Array size. There is no concrete limit by spec. The
 // internal limits should be updated if this fails.
@@ -107,6 +108,13 @@ const outOfRangeError = {
   name: 'RangeError'
 };
 
+const stringTooLongError = {
+  message: `Cannot create a string longer than 0x${kStringMaxLength.toString(16)}` +
+    ' characters',
+  code: 'ERR_STRING_TOO_LONG',
+  name: 'Error',
+};
+
 // Try to write a 0-length string beyond the end of b
 assert.throws(() => b.write('', 2048), outOfRangeError);
 
@@ -1147,6 +1155,22 @@ assert.throws(() => {
   assert.strictEqual(ubuf.buffer.byteLength, 10);
 }
 
+// Invalid length of Buffer.utf8Write
+{
+  const ubuf = Buffer.allocUnsafeSlow(2 ** 32);
+  assert.throws(() => {
+    ubuf.utf8Write('a', 2, kStringMaxLength + 2);
+  }, stringTooLongError);
+}
+
+// Invalid length of Buffer.write
+{
+  const ubuf = Buffer.allocUnsafeSlow(2 ** 32);
+  assert.throws(() => {
+    ubuf.write('a', 2, kStringMaxLength + 2);
+  }, stringTooLongError);
+}
+
 // Regression test to verify that an empty ArrayBuffer does not throw.
 Buffer.from(new ArrayBuffer());