crypto: check randomBytes() size argument

Throw a TypeError if size > 0x3fffffff. Avoids the following V8 fatal
error:

  FATAL ERROR: v8::Object::SetIndexedPropertiesToExternalArrayData()
  length exceeds max acceptable value

Fixes #5126.

2 files changed, 11 insertions, 3 deletions

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index afe45663d1..dd10507cee 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -3930,11 +3930,13 @@ Handle<Value> RandomBytes(const Arguments& args) {
   // maybe allow a buffer to write to? cuts down on object creation
   // when generating random data in a loop
   if (!args[0]->IsUint32()) {
-    Local<String> s = String::New("Argument #1 must be number > 0");
-    return ThrowException(Exception::TypeError(s));
+    return ThrowTypeError("Argument #1 must be number > 0");
   }
 
-  const size_t size = args[0]->Uint32Value();
+  const uint32_t size = args[0]->Uint32Value();
+  if (size > Buffer::kMaxLength) {
+    return ThrowTypeError("size > Buffer::kMaxLength");
+  }
 
   RandomBytesRequest* req = new RandomBytesRequest();
   req->error_ = 0;
diff --git a/test/simple/test-crypto-random.js b/test/simple/test-crypto-random.js
index 321c8574cd..24a76f4f1a 100644
--- a/test/simple/test-crypto-random.js
+++ b/test/simple/test-crypto-random.js
@@ -70,3 +70,9 @@ function checkCall(cb, desc) {
     return called_ = true, cb.apply(cb, Array.prototype.slice.call(arguments));
   };
 }
+
+// #5126, "FATAL ERROR: v8::Object::SetIndexedPropertiesToExternalArrayData()
+// length exceeds max acceptable value"
+assert.throws(function() {
+  crypto.randomBytes(0x3fffffff + 1);
+}, TypeError);