Permalink
Browse files

src: avoid hanging on Buffer#fill 0-length input

Previously, zero-length Buffers and TypedArrays passed as fillers hanged
Buffer#fill and Buffer.from.

This changes those cases when it hanged to a zero-fill instead, which
should be backwards compatible.

This fixes CVE-2018-7167.

PR-URL: nodejs-private/node-private#121
Fixes: nodejs-private/security#193
Refs: nodejs-private/node-private#118
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
  • Loading branch information...
ChALkeR authored and evanlucas committed Apr 24, 2018
1 parent c4948ea commit 7dbcfc62174bab7b547cd88e0385517e689891ad
Showing with 42 additions and 0 deletions.
  1. +6 −0 src/node_buffer.cc
  2. +20 −0 test/parallel/test-buffer-alloc-is-filled.js
  3. +16 −0 test/parallel/test-buffer-fill.js
@@ -654,6 +654,12 @@ void Fill(const FunctionCallbackInfo<Value>& args) {
size_t in_there = str_length;
char* ptr = ts_obj_data + start + str_length;
if (in_there == 0) {
// Just use zero-fill if the input was empty
memset(ts_obj_data + start, 0, fill_length);
return;
}
while (in_there < fill_length - in_there) {
memcpy(ptr, ts_obj_data + start, in_there);
ptr += in_there;
@@ -0,0 +1,20 @@
'use strict';
require('../common');
const assert = require('assert');
for (const fill of [
'',
[],
Buffer.from(''),
new Uint8Array(0),
{ toString: () => '' },
{ toString: () => '', length: 10 }
]) {
for (let i = 0; i < 50; i++) {
const buf = Buffer.alloc(100, fill);
assert.strictEqual(buf.length, 100);
for (let n = 0; n < buf.length; n++)
assert.strictEqual(buf[n], 0);
}
}
@@ -319,6 +319,22 @@ Buffer.alloc(8, '');
assert.strictEqual(buf.toString(), 'էէէէէ');
}
{
for (const fill of [
'',
[],
Buffer.from(''),
new Uint8Array(0),
{ toString: () => '' },
{ toString: () => '', length: 10 }
]) {
assert.deepStrictEqual(
Buffer.alloc(10, 'abc').fill(fill),
Buffer.alloc(10)
);
}
}
// Testing public API. Make sure "start" is properly checked, even if it's
// magically mangled using Symbol.toPrimitive.
{

0 comments on commit 7dbcfc6

Please sign in to comment.