-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backport important Buffer changes to v5.x #7169
Conversation
The first commit here is a Can we get a semver-minor release in 5.x? That would also be good for backporting |
LGTM |
Yea I be happy to cut another v5 with some of these changes. Anyone oppose? /cc @nodejs/release |
Ah, sorry. At least one commit here was actually already backported to 5.x, my local copy somewhy didn't get updated. Will rebase in a moment, it will be three commits here =). |
Rebased. |
Uhm. Actually, after a rebase there is no need to have this grouped in one PR — all three commits here are independent and could be landed in any order now. So if this gets stuck on the first change (the API backport) — we should better split this into separate PRs. |
Will be able to take a look today.
|
LGTM |
/cc @evanlucas |
Ok, not it's not clear if the next 5.x release will be a semver-minor one, so I'm splitting this in two PRs. |
This backports the new `Buffer.allocUnsafeSlow()` API for v5. This backport includes the new API, test cases, and docs additions. Already present API and testcases were not changed. PR-URL: nodejs#7169 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Test failed or zero-sized Buffer allocations not affecting subsequent creations of typed arrays. PR-URL: nodejs#7169 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Rebased after landing #7221. |
I will land this tomorrow if there are no objections. |
CI is mostly green, failures (alpine and smartos) look unrelated. Landing. |
Notable changes: This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases for details on patched vulnerabilities. * **buffer** * backport allocUnsafeSlow (Сковорода Никита Андреевич) [#7169](#7169) * ignore negative allocation lengths (Anna Henningsen) [#7221](#7221) * **deps**: backport 3a9bfec from v8 upstream (Ben Noordhuis) [nodejs/node-private#40](https://github.com/nodejs/node-private/pull/40) * Fixes a Buffer overflow vulnerability discovered in v8. More details can be found in the CVE (CVE-2016-1699). PR-URL: https://github.com/nodejs/node-private/pull/51
This backports
threetwoBuffer
-related commits to 5.xallocUnsafeSlow
introduction from buffer: replace SlowBuffer with Buffer.allocUnsafeSlow(size) #5833.Buffer.alloc
andBuffer.allocUnsafe
are already backported to 5.x, whileBuffer.allosUnsafeSlow
isn't — that could be unexpected by users. The good thing is thatallocUnsafeSlow
(asSlowBuffer
) is hopefully rarely used.This is a backport and was significantly changed from the original commit — it does not modify any existing code or tests, it just adds the new API method and tests for it. No deprecation is introduced in the docs.
ignore negative allocation lengths
from buffer: ignore negative allocation lengths #7051 — security-related.Merged in Backport «buffer: ignore negative allocation lengths» to v5.x #7221.
add buffer testcase for resetting kZeroFill
from lib,src: reset zero fill flag on exception #7093 — testcase forsafeguard against accidental kNoZeroFill
.This landed cleanly.
/cc @jasnell @trevnorris @bnoordhuis @addaleax