Skip to content

Commit

Permalink
buffer: prevent abort on bad proto
Browse files Browse the repository at this point in the history
If an object's prototype is munged it's possible to bypass the
instanceof check and cause the application to abort. Instead now use
HasInstance() to verify that the object is a Buffer, and throw if not.

This check will not work for JS only methods. So while the application
won't abort, it also won't throw.

In order to properly throw in all cases with toString() the JS
optimization of checking that length is zero has been removed. In its
place the native methods will now return early if a zero length string
is detected.

Ref: nodejs#1486
Ref: nodejs#1922
Fixes: nodejs#1485
PR-URL: nodejs#2012
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  • Loading branch information
trevnorris authored and mscdex committed Jul 9, 2015
1 parent 6268f80 commit 40c334d
Showing 1 changed file with 56 additions and 0 deletions.
56 changes: 56 additions & 0 deletions test/parallel/test-buffer-fakes.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
'use strict';

const common = require('../common');
const assert = require('assert');
const Buffer = require('buffer').Buffer;
const Bp = Buffer.prototype;

function FakeBuffer() { }
FakeBuffer.__proto__ = Buffer;
FakeBuffer.prototype.__proto__ = Buffer.prototype;

const fb = new FakeBuffer();

assert.throws(function() {
new Buffer(fb);
}, TypeError);

assert.throws(function() {
+Buffer.prototype;
}, TypeError);

assert.throws(function() {
Buffer.compare(fb, new Buffer(0));
}, TypeError);

assert.throws(function() {
fb.write('foo');
}, TypeError);

assert.throws(function() {
Buffer.concat([fb, fb]);
}, TypeError);

assert.throws(function() {
fb.toString();
}, TypeError);

assert.throws(function() {
fb.equals(new Buffer(0));
}, TypeError);

assert.throws(function() {
fb.indexOf(5);
}, TypeError);

assert.throws(function() {
fb.readFloatLE(0);
}, TypeError);

assert.throws(function() {
fb.writeFloatLE(0);
}, TypeError);

assert.throws(function() {
fb.fill(0);
}, TypeError);

0 comments on commit 40c334d

Please sign in to comment.