Skip to content

Commit

Permalink
buffer: stop alloc() uninitialized memory return
Browse files Browse the repository at this point in the history
CVE-2018-7166
Discovered by ChALkeR - Сковорода Никита Андреевич

Prevent Buffer.alloc(size, fill, number) from returning uninitialized memory.

Fixes: nodejs-private/security#202
PR-URL: nodejs-private/node-private#137
Reviewed-By: Rod Vagg <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
Reviewed-By: Evan Lucas <[email protected]>
Reviewed-By: Сковорода Никита Андреевич <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
  • Loading branch information
cjihrig authored and rvagg committed Aug 15, 2018
1 parent 2c4c17b commit 734323d
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
3 changes: 2 additions & 1 deletion lib/buffer.js
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,8 @@ function assertSize(size) {
Buffer.alloc = function alloc(size, fill, encoding) {
assertSize(size);
if (fill !== undefined && fill !== 0 && size > 0) {
return _fill(createUnsafeBuffer(size), fill, encoding);
const buf = createUnsafeBuffer(size);
return _fill(buf, fill, 0, buf.length, encoding);
}
return new FastBuffer(size);
};
Expand Down
7 changes: 7 additions & 0 deletions test/parallel/test-buffer-alloc.js
Original file line number Diff line number Diff line change
Expand Up @@ -1039,3 +1039,10 @@ common.expectsError(() => {
code: 'ERR_INVALID_ARG_VALUE',
type: TypeError
});

common.expectsError(() => {
Buffer.alloc(40, 'x', 20);
}, {
code: 'ERR_INVALID_ARG_TYPE',
type: TypeError
});

0 comments on commit 734323d

Please sign in to comment.