Skip to content

Commit

Permalink
buffer: stop alloc() uninitialized memory return
Browse files Browse the repository at this point in the history
CVE-2018-7166
Discovered by ChALkeR - Сковорода Никита Андреевич

Prevent Buffer.alloc(size, fill, number) from returning uninitialized memory.

Fixes: nodejs-private/security#202
PR-URL: nodejs-private/node-private#137
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
  • Loading branch information
cjihrig authored and rvagg committed Aug 16, 2018
1 parent 16accff commit 40a7bee
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
3 changes: 2 additions & 1 deletion lib/buffer.js
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,8 @@ function assertSize(size) {
Buffer.alloc = function alloc(size, fill, encoding) {
assertSize(size);
if (fill !== undefined && fill !== 0 && size > 0) {
return _fill(createUnsafeBuffer(size), fill, encoding);
const buf = createUnsafeBuffer(size);
return _fill(buf, fill, 0, buf.length, encoding);
}
return new FastBuffer(size);
};
Expand Down
7 changes: 7 additions & 0 deletions test/parallel/test-buffer-alloc.js
Original file line number Diff line number Diff line change
Expand Up @@ -1039,3 +1039,10 @@ common.expectsError(() => {
code: 'ERR_INVALID_ARG_VALUE',
type: TypeError
});

common.expectsError(() => {
Buffer.alloc(40, 'x', 20);
}, {
code: 'ERR_INVALID_ARG_TYPE',
type: TypeError
});

1 comment on commit 40a7bee

@ChALkeR
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cjihrig @MylesBorins @nodejs/lts the testcase should be backported.

Please sign in to comment.