buffer: ignore negative allocation lengths

addaleax · ChALkeR · commit 27785aeb3797 · 2016-06-17T17:52:42.000+03:00
Treat negative length arguments to `Buffer()`/`allocUnsafe()` as if they were zero so the allocation does not affect the pool’s offset. Fixes: #7047 Refs: #7051 PR-URL: #7221 Reviewed-By: Trevor Norris <trev.norris@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/lib/buffer.js b/lib/buffer.js
@@ -163,8 +163,8 @@ Object.setPrototypeOf(SlowBuffer, Uint8Array);
 
 
 function allocate(size) {
-  if (size === 0) {
-    return createBuffer(size);
+  if (size <= 0) {
+    return createBuffer(0);
   }
   if (size < (Buffer.poolSize >>> 1)) {
     if (size > (poolSize - poolOffset))
diff --git a/test/parallel/test-buffer.js b/test/parallel/test-buffer.js
@@ -1438,3 +1438,14 @@ assert.equal(Buffer.prototype.parent, undefined);
 assert.equal(Buffer.prototype.offset, undefined);
 assert.equal(SlowBuffer.prototype.parent, undefined);
 assert.equal(SlowBuffer.prototype.offset, undefined);
+
+{
+  // Test that large negative Buffer length inputs don't affect the pool offset.
+  assert.deepStrictEqual(Buffer(-Buffer.poolSize), Buffer.from(''));
+  assert.deepStrictEqual(Buffer(-100), Buffer.from(''));
+  assert.deepStrictEqual(Buffer.allocUnsafe(-Buffer.poolSize), Buffer.from(''));
+  assert.deepStrictEqual(Buffer.allocUnsafe(-100), Buffer.from(''));
+
+  // Check pool offset after that by trying to write string into the pool.
+  assert.doesNotThrow(() => Buffer.from('abc'));
+}

Original file line number	Diff line number	Diff line change
`@@ -163,8 +163,8 @@ Object.setPrototypeOf(SlowBuffer, Uint8Array);`
`163`	`163`
`164`	`164`
`165`	`165`	`function allocate(size) {`
`166`		`- if (size === 0) {`
`167`		`- return createBuffer(size);`
	`166`	`+ if (size <= 0) {`
	`167`	`+ return createBuffer(0);`
`168`	`168`	`}`
`169`	`169`	`if (size < (Buffer.poolSize >>> 1)) {`
`170`	`170`	`if (size > (poolSize - poolOffset))`