src: fix validation of negative offset to avoid abort

Fixes: #24640
Signed-off-by: James M Snell <jasnell@gmail.com>

PR-URL: #38421
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Nitzan Uziely <linkgoron@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>

Author: jasnell

lib/fs.js

@@ -535,7 +535,7 @@ function read(fd, buffer, offset, length, position, callback) {
   if (offset == null) {
     offset = 0;
   } else {
-    validateInteger(offset, 'offset');
+    validateInteger(offset, 'offset', 0);
   }
 
   length |= 0;
@@ -589,7 +589,7 @@ function readSync(fd, buffer, offset, length, position) {
   if (offset == null) {
     offset = 0;
   } else {
-    validateInteger(offset, 'offset');
+    validateInteger(offset, 'offset', 0);
   }
 
   length |= 0;
@@ -667,7 +667,7 @@ function write(fd, buffer, offset, length, position, callback) {
     if (offset == null || typeof offset === 'function') {
       offset = 0;
     } else {
-      validateInteger(offset, 'offset');
+      validateInteger(offset, 'offset', 0);
     }
     if (typeof length !== 'number')
       length = buffer.length - offset;
@@ -715,7 +715,7 @@ function writeSync(fd, buffer, offset, length, position) {
     if (offset == null) {
       offset = 0;
     } else {
-      validateInteger(offset, 'offset');
+      validateInteger(offset, 'offset', 0);
     }
     if (typeof length !== 'number')
       length = buffer.byteLength - offset;

lib/internal/fs/promises.js

@@ -366,7 +366,7 @@ async function read(handle, bufferOrOptions, offset, length, position) {
   if (offset == null) {
     offset = 0;
   } else {
-    validateInteger(offset, 'offset');
+    validateInteger(offset, 'offset', 0);
   }
 
   length |= 0;
@@ -409,7 +409,7 @@ async function write(handle, buffer, offset, length, position) {
     if (offset == null) {
       offset = 0;
     } else {
-      validateInteger(offset, 'offset');
+      validateInteger(offset, 'offset', 0);
     }
     if (typeof length !== 'number')
       length = buffer.length - offset;

lib/internal/fs/utils.js

@@ -620,6 +620,10 @@ const validateOffsetLengthWrite = hideStackFrames(
     if (length > byteLength - offset) {
       throw new ERR_OUT_OF_RANGE('length', `<= ${byteLength - offset}`, length);
     }
+
+    if (length < 0) {
+      throw new ERR_OUT_OF_RANGE('length', '>= 0', length);
+    }
   }
 );
 

test/parallel/test-fs-read-type.js

@@ -44,8 +44,6 @@ assert.throws(() => {
 }, {
   code: 'ERR_OUT_OF_RANGE',
   name: 'RangeError',
-  message: 'The value of "offset" is out of range. It must be >= 0. ' +
-           'Received -1'
 });
 
 assert.throws(() => {
@@ -109,8 +107,6 @@ assert.throws(() => {
 }, {
   code: 'ERR_OUT_OF_RANGE',
   name: 'RangeError',
-  message: 'The value of "offset" is out of range. ' +
-           'It must be >= 0. Received -1'
 });
 
 assert.throws(() => {

test/parallel/test-fs-write-negativeoffset.js

@@ -0,0 +1,55 @@
+'use strict';
+
+// Tests that passing a negative offset does not crash the process
+
+const common = require('../common');
+
+const {
+  join,
+} = require('path');
+
+const {
+  closeSync,
+  open,
+  write,
+  writeSync,
+} = require('fs');
+
+const assert = require('assert');
+
+const tmpdir = require('../common/tmpdir');
+tmpdir.refresh();
+
+const filename = join(tmpdir.path, 'test.txt');
+
+open(filename, 'w+', common.mustSucceed((fd) => {
+  assert.throws(() => {
+    write(fd, Buffer.alloc(0), -1, common.mustNotCall());
+  }, {
+    code: 'ERR_OUT_OF_RANGE',
+  });
+  assert.throws(() => {
+    writeSync(fd, Buffer.alloc(0), -1);
+  }, {
+    code: 'ERR_OUT_OF_RANGE',
+  });
+  closeSync(fd);
+}));
+
+const filename2 = join(tmpdir.path, 'test2.txt');
+
+// Make sure negative length's don't cause aborts either
+
+open(filename2, 'w+', common.mustSucceed((fd) => {
+  assert.throws(() => {
+    write(fd, Buffer.alloc(0), 0, -1, common.mustNotCall());
+  }, {
+    code: 'ERR_OUT_OF_RANGE',
+  });
+  assert.throws(() => {
+    writeSync(fd, Buffer.alloc(0), 0, -1);
+  }, {
+    code: 'ERR_OUT_OF_RANGE',
+  });
+  closeSync(fd);
+}));