Skip to content
Permalink
Browse files
buffer: stop alloc() uninitialized memory return
CVE-2018-7166
Discovered by ChALkeR - Сковорода Никита Андреевич

Prevent Buffer.alloc(size, fill, number) from returning uninitialized memory.

Fixes: nodejs-private/security#202
PR-URL: nodejs-private/node-private#137
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
  • Loading branch information
cjihrig authored and rvagg committed Aug 16, 2018
1 parent 16accff commit 40a7beeddac9b9ec9ef5b49157daaf8470648b08
Showing with 9 additions and 1 deletion.
  1. +2 −1 lib/buffer.js
  2. +7 −0 test/parallel/test-buffer-alloc.js
@@ -278,7 +278,8 @@ function assertSize(size) {
Buffer.alloc = function alloc(size, fill, encoding) {
assertSize(size);
if (fill !== undefined && fill !== 0 && size > 0) {
return _fill(createUnsafeBuffer(size), fill, encoding);
const buf = createUnsafeBuffer(size);
return _fill(buf, fill, 0, buf.length, encoding);
}
return new FastBuffer(size);
};
@@ -1039,3 +1039,10 @@ common.expectsError(() => {
code: 'ERR_INVALID_ARG_VALUE',
type: TypeError
});

common.expectsError(() => {
Buffer.alloc(40, 'x', 20);
}, {
code: 'ERR_INVALID_ARG_TYPE',
type: TypeError
});

1 comment on commit 40a7bee

@ChALkeR

This comment has been minimized.

Copy link
Member

@ChALkeR ChALkeR commented on 40a7bee Aug 23, 2018

@cjihrig @MylesBorins @nodejs/lts the testcase should be backported.

Please sign in to comment.