buffer: ignore negative allocation lengths

addaleax · Fishrock123 · commit 4438550d136f · 2016-06-01T19:03:10.000-04:00
Treat negative length arguments to `Buffer()`/`allocUnsafe()` as if they were zero so the allocation does not affect the pool’s offset. Fixes: #7047 PR-URL: #7051 Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Trevor Norris <trev.norris@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org>
diff --git a/lib/buffer.js b/lib/buffer.js
@@ -199,8 +199,8 @@ Object.setPrototypeOf(SlowBuffer, Uint8Array);
 
 
 function allocate(size){
- if (size === 0){
- return createBuffer(size);
+ if (size <= 0){
+ return createBuffer(0);
 }
 if (size < (Buffer.poolSize >>> 1)){
 if (size > (poolSize - poolOffset))
diff --git a/test/parallel/test-buffer.js b/test/parallel/test-buffer.js
@@ -1465,3 +1465,14 @@ assert.equal(Buffer.prototype.parent, undefined);
 assert.equal(Buffer.prototype.offset, undefined);
 assert.equal(SlowBuffer.prototype.parent, undefined);
 assert.equal(SlowBuffer.prototype.offset, undefined);
+
+{
+ // Test that large negative Buffer length inputs don't affect the pool offset.
+ assert.deepStrictEqual(Buffer(-Buffer.poolSize), Buffer.from(''));
+ assert.deepStrictEqual(Buffer(-100), Buffer.from(''));
+ assert.deepStrictEqual(Buffer.allocUnsafe(-Buffer.poolSize), Buffer.from(''));
+ assert.deepStrictEqual(Buffer.allocUnsafe(-100), Buffer.from(''));
+
+ // Check pool offset after that by trying to write string into the pool.
+ assert.doesNotThrow(() => Buffer.from('abc'));
+}

Original file line number	Diff line number	Diff line change
`@@ -199,8 +199,8 @@ Object.setPrototypeOf(SlowBuffer, Uint8Array);`
`199`	`199`
`200`	`200`
`201`	`201`	`functionallocate(size){`
`202`		`-if(size===0){`
`203`		`-returncreateBuffer(size);`
	`202`	`+if(size<=0){`
	`203`	`+returncreateBuffer(0);`
`204`	`204`	`}`
`205`	`205`	`if(size<(Buffer.poolSize>>>1)){`
`206`	`206`	`if(size>(poolSize-poolOffset))`
-Original file line number
+Diff line change
 assert.equal(Buffer.prototype.offset,undefined);
 assert.equal(SlowBuffer.prototype.parent,undefined);
 assert.equal(SlowBuffer.prototype.offset,undefined);
++
 +{
 +// Test that large negative Buffer length inputs don't affect the pool offset.
 +assert.deepStrictEqual(Buffer(-Buffer.poolSize),Buffer.from(''));
 +assert.deepStrictEqual(Buffer(-100),Buffer.from(''));
 +assert.deepStrictEqual(Buffer.allocUnsafe(-Buffer.poolSize),Buffer.from(''));
 +assert.deepStrictEqual(Buffer.allocUnsafe(-100),Buffer.from(''));
++
 +// Check pool offset after that by trying to write string into the pool.
 +assert.doesNotThrow(()=>Buffer.from('abc'));
 +}