From a9943da94b5e33e08474f896f0c788a97c7ba87c Mon Sep 17 00:00:00 2001
From: Luke Curley <kixelated@gmail.com>
Date: Mon, 17 Nov 2025 13:44:33 -0800
Subject: [PATCH] Fix buffer capacity check in varint encode to account for
 byteOffset
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The capacity check was comparing against the buffer's total byteLength
without accounting for byteOffset. For Uint8Array views over a larger
buffer, this could incorrectly allow writes that exceed the available space.

Use dst.byteOffset + dst.byteLength + size > dst.buffer.byteLength to
properly check the actual end position of the appended data.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 web-transport-ws/src/varint.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-transport-ws/src/varint.ts b/web-transport-ws/src/varint.ts
index 8109465..26fae66 100644
--- a/web-transport-ws/src/varint.ts
+++ b/web-transport-ws/src/varint.ts
@@ -28,7 +28,7 @@ export class VarInt {
 		const x = this.value;
 
 		const size = this.size();
-		if (dst.buffer.byteLength < dst.byteLength + size) {
+		if (dst.byteOffset + dst.byteLength + size > dst.buffer.byteLength) {
 			throw new Error("destination buffer too small");
 		}