From: Trevor Norris Date: Fri, 24 Apr 2015 16:50:15 +0000 (-0600) Subject: buffer: fix copy() segfault with zero arguments X-Git-Tag: v1.8.2~15 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5404cbc74533e2d52861221201b166e7c9c015ec;p=platform%2Fupstream%2Fnodejs.git buffer: fix copy() segfault with zero arguments Buffer#copy() immediately does a ToObject() on the first argument before it checks if it's even an Object. This causes Object::HasIndexedPropertiesInExternalArrayData() to be run on nothing, triggering the segfault. Instead run HasInstance() on the args Value. Which will check if it's actually an Object, before checking if it contains data. Fixes: https://github.com/iojs/io.js/issues/1519 PR-URL: https://github.com/iojs/io.js/pull/1520 Reviewed-by: Evan Lucas --- diff --git a/src/node_buffer.cc b/src/node_buffer.cc index 61b80c6..8a47384 100644 --- a/src/node_buffer.cc +++ b/src/node_buffer.cc @@ -303,11 +303,11 @@ void Base64Slice(const FunctionCallbackInfo& args) { void Copy(const FunctionCallbackInfo &args) { Environment* env = Environment::GetCurrent(args); - Local target = args[0]->ToObject(env->isolate()); - - if (!HasInstance(target)) + if (!HasInstance(args[0])) return env->ThrowTypeError("first arg should be a Buffer"); + Local target = args[0]->ToObject(env->isolate()); + ARGS_THIS(args.This()) size_t target_length = target->GetIndexedPropertiesExternalArrayDataLength(); char* target_data = static_cast( diff --git a/test/parallel/test-buffer.js b/test/parallel/test-buffer.js index 9b16b7b..3cdd862 100644 --- a/test/parallel/test-buffer.js +++ b/test/parallel/test-buffer.js @@ -1179,3 +1179,8 @@ var ps = Buffer.poolSize; Buffer.poolSize = 0; assert.equal(Buffer(1).parent, undefined); Buffer.poolSize = ps; + +// Test Buffer.copy() segfault +assert.throws(function() { + Buffer(10).copy(); +});