From 734323d9eb4debf64034ce8320121e2318f572a9 Mon Sep 17 00:00:00 2001 From: cjihrig Date: Thu, 9 Aug 2018 21:45:40 -0400 Subject: [PATCH] buffer: stop alloc() uninitialized memory return MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2018-7166 Discovered by ChALkeR - Сковорода Никита Андреевич Prevent Buffer.alloc(size, fill, number) from returning uninitialized memory. Fixes: https://github.com/nodejs-private/security/issues/202 PR-URL: https://github.com/nodejs-private/node-private/pull/137 Reviewed-By: Rod Vagg Reviewed-By: Matteo Collina Reviewed-By: Ruben Bridgewater Reviewed-By: Evan Lucas Reviewed-By: Сковорода Никита Андреевич Reviewed-By: Michael Dawson --- lib/buffer.js | 3 ++- test/parallel/test-buffer-alloc.js | 7 +++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/buffer.js b/lib/buffer.js index 398357c6845568..43d9d4d5822bd7 100644 --- a/lib/buffer.js +++ b/lib/buffer.js @@ -278,7 +278,8 @@ function assertSize(size) { Buffer.alloc = function alloc(size, fill, encoding) { assertSize(size); if (fill !== undefined && fill !== 0 && size > 0) { - return _fill(createUnsafeBuffer(size), fill, encoding); + const buf = createUnsafeBuffer(size); + return _fill(buf, fill, 0, buf.length, encoding); } return new FastBuffer(size); }; diff --git a/test/parallel/test-buffer-alloc.js b/test/parallel/test-buffer-alloc.js index daab9c9edc12e9..f89e25fdbb2f92 100644 --- a/test/parallel/test-buffer-alloc.js +++ b/test/parallel/test-buffer-alloc.js @@ -1039,3 +1039,10 @@ common.expectsError(() => { code: 'ERR_INVALID_ARG_VALUE', type: TypeError }); + +common.expectsError(() => { + Buffer.alloc(40, 'x', 20); +}, { + code: 'ERR_INVALID_ARG_TYPE', + type: TypeError +});