From 2c9a84c93f563ed5b6a5f859ff2a0713e250761a Mon Sep 17 00:00:00 2001
From: Patrick Spiegel <patrickspiegel@web.de>
Date: Fri, 27 Oct 2017 12:34:56 +0000
Subject: [PATCH] [Fix] Buffer.concat looses taint #20

---
 lib/_taint_buffer_util.js | 14 ++++++++++++++
 lib/buffer.js             |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/lib/_taint_buffer_util.js b/lib/_taint_buffer_util.js
index 99f7f6428e5ad0..0f6bb6127ea93d 100644
--- a/lib/_taint_buffer_util.js
+++ b/lib/_taint_buffer_util.js
@@ -284,6 +284,20 @@ exports.applyTaintToBuffer = (buffer, string, encoding,
   return buffer;
 };
 
+exports.concatBufferArrayTaint = (list) => {
+  return list.reduce((acc, val) => {
+    if (typeof val === 'object' && val.taint) {
+      val.taint.forEach((range) => {
+        acc.taint.push({'begin': range.begin + acc.len,
+                        'end': range.end + acc.len,
+                        'flow': range.flow
+        });
+      });
+    }
+    acc.len += val.len;
+    return acc;
+  }, {'len': 0, 'taint': []}).taint;
+};
 
 exports.applyArrayTaintToBuffer = (array) => {
   const newTaint = [];
diff --git a/lib/buffer.js b/lib/buffer.js
index 5988436a50c557..acd4d9a3305af8 100644
--- a/lib/buffer.js
+++ b/lib/buffer.js
@@ -510,7 +510,7 @@ Buffer.concat = function concat(list, length) {
   }
 
   // TaintV8
-  buffer.taint = TaintBuffer.subtaint(buffer, 0, length);
+  buffer.taint = TaintBuffer.concatBufferArrayTaint(list);
 
   // Note: `length` is always equal to `buffer.length` at this point
   if (pos < length) {