Skip to content

Commit

Permalink
lib: fix max size check in Buffer constructor
Browse files Browse the repository at this point in the history
A number -> uint32 type coercion bug made buffer sizes
larger than kMaxLength (0x3fffffff) wrap around.

Instead of rejecting the requested size with an exception,
the constructor created a buffer with the wrong size.

PR-URL: #657
Reviewed-By: Trevor Norris <[email protected]>
  • Loading branch information
bnoordhuis committed Jan 31, 2015
1 parent 65b1e4f commit 0767c2f
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 3 deletions.
10 changes: 7 additions & 3 deletions lib/buffer.js
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ function Buffer(subject, encoding) {
return new Buffer(subject, encoding);

if (util.isNumber(subject)) {
this.length = subject > 0 ? subject >>> 0 : 0;
this.length = +subject;

} else if (util.isString(subject)) {
if (!util.isString(encoding) || encoding.length === 0)
Expand All @@ -42,8 +42,7 @@ function Buffer(subject, encoding) {
} else if (util.isObject(subject)) {
if (subject.type === 'Buffer' && util.isArray(subject.data))
subject = subject.data;
// Must use floor() because array length may be > kMaxLength.
this.length = +subject.length > 0 ? Math.floor(+subject.length) : 0;
this.length = +subject.length;

} else {
throw new TypeError('must start with number, buffer, array or string');
Expand All @@ -54,6 +53,11 @@ function Buffer(subject, encoding) {
'size: 0x' + kMaxLength.toString(16) + ' bytes');
}

if (this.length < 0)
this.length = 0;
else
this.length >>>= 0; // Coerce to uint32.

this.parent = undefined;
if (this.length <= (Buffer.poolSize >>> 1) && this.length > 0) {
if (this.length > poolSize - poolOffset)
Expand Down
3 changes: 3 additions & 0 deletions test/parallel/test-buffer.js
Original file line number Diff line number Diff line change
Expand Up @@ -1163,3 +1163,6 @@ assert.throws(function() {
var b = new Buffer(1);
b.equals('abc');
});

// Regression test for https://github.com/iojs/io.js/issues/649.
assert.throws(function() { Buffer(1422561062959).toString('utf8'); });

0 comments on commit 0767c2f

Please sign in to comment.