Please sign in to comment.
buffer: fix range checks for slice()
Using the black magic of Symbol.toPrimitive the numeric value of start/end can be changed when Uint32Value() is called once Buffer::Fill() is entered. Allowing the CHECK() to be bypassed. The bug report was only for "start", but the same can be done with "end". Perform checks for both in node::Buffer::Fill() to make sure the issue can't be triggered, even if process.binding is used directly. Include tests for each case. Along with a check to make sure the last time the value is accessed returns -1. This should be enough to make sure Buffer::Fill() is receiving the correct value. Along with two tests against process.binding directly. Fixes: #9149 PR-URL: #9174 Reviewed-By: James M Snell <firstname.lastname@example.org> Reviewed-By: Franziska Hinkelmann <email@example.com> Reviewed-By: Ben Noordhuis <firstname.lastname@example.org>
- Loading branch information...
Showing with 78 additions and 1 deletion.