buffer: fix end parameter bugs in indexOf/lastIndexOf

- Fix FastIndexOfNumber parameter order mismatch (end_i64 and
  is_forward were swapped vs the JS call site and slow path)
- Clamp negative end values to 0 to prevent size_t overflow in
  IndexOfString, IndexOfBuffer, and IndexOfNumberImpl
- Clamp empty needle result to search_end

Signed-off-by: Robert Nagy <ronagy@icloud.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ronag

src/node_buffer.cc

@@ -984,7 +984,8 @@ void IndexOfString(const FunctionCallbackInfo<Value>& args) {
 
   // search_end is the exclusive upper bound of the search range.
   size_t search_end = static_cast<size_t>(
-      std::min(end_i64, static_cast<int64_t>(haystack_length)));
+      std::min(std::max(end_i64, int64_t{0}),
+               static_cast<int64_t>(haystack_length)));
   if (enc == UCS2) search_end &= ~static_cast<size_t>(1);
 
   int64_t opt_offset = IndexOfOffset(haystack_length,
@@ -993,8 +994,11 @@ void IndexOfString(const FunctionCallbackInfo<Value>& args) {
                                      is_forward);
 
   if (needle_length == 0) {
-    // Match String#indexOf() and String#lastIndexOf() behavior.
-    args.GetReturnValue().Set(static_cast<double>(opt_offset));
+    // Match String#indexOf() and String#lastIndexOf() behavior,
+    // but clamp to search_end.
+    int64_t clamped = std::min(opt_offset,
+                               static_cast<int64_t>(search_end));
+    args.GetReturnValue().Set(static_cast<double>(clamped));
     return;
   }
 
@@ -1109,7 +1113,8 @@ void IndexOfBuffer(const FunctionCallbackInfo<Value>& args) {
 
   // search_end is the exclusive upper bound of the search range.
   size_t search_end = static_cast<size_t>(
-      std::min(end_i64, static_cast<int64_t>(haystack_length)));
+      std::min(std::max(end_i64, int64_t{0}),
+               static_cast<int64_t>(haystack_length)));
   if (enc == UCS2) search_end &= ~static_cast<size_t>(1);
 
   int64_t opt_offset = IndexOfOffset(haystack_length,
@@ -1118,8 +1123,11 @@ void IndexOfBuffer(const FunctionCallbackInfo<Value>& args) {
                                      is_forward);
 
   if (needle_length == 0) {
-    // Match String#indexOf() and String#lastIndexOf() behavior.
-    args.GetReturnValue().Set(static_cast<double>(opt_offset));
+    // Match String#indexOf() and String#lastIndexOf() behavior,
+    // but clamp to search_end.
+    int64_t clamped = std::min(opt_offset,
+                               static_cast<int64_t>(search_end));
+    args.GetReturnValue().Set(static_cast<double>(clamped));
     return;
   }
 
@@ -1185,7 +1193,8 @@ int32_t IndexOfNumberImpl(Local<Value> buffer_obj,
   size_t offset = static_cast<size_t>(opt_offset);
   // search_end is the exclusive upper bound of the search range.
   size_t search_end = static_cast<size_t>(
-      std::min(end_i64, static_cast<int64_t>(buffer_length)));
+      std::min(std::max(end_i64, int64_t{0}),
+               static_cast<int64_t>(buffer_length)));
 
   const void* ptr;
   if (is_forward) {
@@ -1222,8 +1231,8 @@ int32_t FastIndexOfNumber(Local<Value>,
                           Local<Value> buffer_obj,
                           uint32_t needle,
                           int64_t offset_i64,
-                          int64_t end_i64,
                           bool is_forward,
+                          int64_t end_i64,
                           // NOLINTNEXTLINE(runtime/references)
                           FastApiCallbackOptions& options) {
   HandleScope scope(options.isolate);

test/parallel/test-buffer-indexof.js

@@ -691,3 +691,39 @@ assert.strictEqual(reallyLong.lastIndexOf(pattern), 0);
 
   assert.strictEqual(buf.includes('c'), true);
 }
+
+// Regression tests for end parameter edge cases.
+{
+  const buf = Buffer.from('abcabc');
+
+  // Negative end should be treated as 0 (no match possible).
+  assert.strictEqual(buf.indexOf('a', 0, -1), -1);
+  assert.strictEqual(buf.indexOf('a', 0, -100), -1);
+  assert.strictEqual(buf.indexOf(0x61, 0, -1), -1);
+  assert.strictEqual(buf.lastIndexOf('a', 5, -1), -1);
+  assert.strictEqual(buf.lastIndexOf(0x61, 5, -1), -1);
+  assert.strictEqual(buf.includes('a', 0, -1), false);
+  assert.strictEqual(buf.indexOf(Buffer.from('a'), 0, -1), -1);
+  assert.strictEqual(buf.lastIndexOf(Buffer.from('a'), 5, -1), -1);
+
+  // end = 0 means empty search range.
+  assert.strictEqual(buf.indexOf('a', 0, 0), -1);
+  assert.strictEqual(buf.indexOf(0x61, 0, 0), -1);
+  assert.strictEqual(buf.lastIndexOf('a', 5, 0), -1);
+  assert.strictEqual(buf.lastIndexOf(0x61, 5, 0), -1);
+
+  // end greater than buffer length should be clamped.
+  assert.strictEqual(buf.indexOf('c', 0, 100), 2);
+  assert.strictEqual(buf.indexOf(0x63, 0, 100), 2);
+  assert.strictEqual(buf.lastIndexOf('c', 5, 100), 5);
+  assert.strictEqual(buf.lastIndexOf(0x63, 5, 100), 5);
+  assert.strictEqual(buf.indexOf(Buffer.from('c'), 0, 100), 2);
+
+  // Empty needle with end parameter should clamp to search_end.
+  assert.strictEqual(buf.indexOf('', 0, 3), 0);
+  assert.strictEqual(buf.indexOf('', 5, 3), 3);
+  assert.strictEqual(buf.indexOf(Buffer.from(''), 5, 3), 3);
+  assert.strictEqual(buf.indexOf('', 0, 0), 0);
+  assert.strictEqual(buf.lastIndexOf('', 5, 3), 3);
+  assert.strictEqual(buf.lastIndexOf(Buffer.from(''), 5, 3), 3);
+}