Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lib: fix max size check in Buffer constructor #657

Merged
merged 1 commit into from
Jan 31, 2015

Conversation

bnoordhuis
Copy link
Member

A logic error let buffer sizes larger than kMaxLength (0x3fffffff) slip
through. The .toString() operation (and possibly others as well) then
blew up because the buffer was larger than it could reasonably handle.

Fixes the following run-time assert:

#
# Fatal error in ../deps/v8/src/handles.h, line 48
# CHECK(location_ != NULL) failed
#

==== C stack trace ===============================

 1: V8_Fatal
 2: v8::String::NewFromUtf8(v8::Isolate*, char const*, v8::String::NewStringType, int)
 3: node::StringBytes::Encode(v8::Isolate*, char const*, unsigned long, node::encoding)
 4: node::Buffer::Utf8Slice(v8::FunctionCallbackInfo<v8::Value> const&)
 5: v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&))
 6: ??
 7: ??

Fixes: #649

R=@trevnorris?

@bnoordhuis
Copy link
Member Author

The commit log is admittedly a little weak. The failing CHECK is related to but not exclusively caused by the bad length check in lib/buffer.js.

@trevnorris
Copy link
Contributor

LGTM

A number -> uint32 type coercion bug made buffer sizes
larger than kMaxLength (0x3fffffff) wrap around.

Instead of rejecting the requested size with an exception,
the constructor created a buffer with the wrong size.

PR-URL: nodejs#657
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
@bnoordhuis bnoordhuis merged commit 0767c2f into nodejs:v1.x Jan 31, 2015
@bnoordhuis bnoordhuis deleted the fix-issue-649 branch January 31, 2015 09:15
feross added a commit to feross/buffer that referenced this pull request Feb 10, 2015
trevnorris pushed a commit to nodejs/node-v0.x-archive that referenced this pull request Feb 10, 2015
A number -> uint32 type coercion bug made buffer sizes
larger than kMaxLength (0x3fffffff) wrap around.

Instead of rejecting the requested size with an exception,
the constructor created a buffer with the wrong size.

PR-URL: nodejs/node#657
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
itu2n1i8w added a commit to itu2n1i8w/buffer that referenced this pull request Aug 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants