From 5404cbc74533e2d52861221201b166e7c9c015ec Mon Sep 17 00:00:00 2001 From: Trevor Norris Date: Fri, 24 Apr 2015 10:50:15 -0600 Subject: [PATCH] buffer: fix copy() segfault with zero arguments Buffer#copy() immediately does a ToObject() on the first argument before it checks if it's even an Object. This causes Object::HasIndexedPropertiesInExternalArrayData() to be run on nothing, triggering the segfault. Instead run HasInstance() on the args Value. Which will check if it's actually an Object, before checking if it contains data. Fixes: /~https://github.com/iojs/io.js/issues/1519 PR-URL: /~https://github.com/iojs/io.js/pull/1520 Reviewed-by: Evan Lucas --- src/node_buffer.cc | 6 +++--- test/parallel/test-buffer.js | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/node_buffer.cc b/src/node_buffer.cc index 61b80c622a809e..8a473847f285f2 100644 --- a/src/node_buffer.cc +++ b/src/node_buffer.cc @@ -303,11 +303,11 @@ void Base64Slice(const FunctionCallbackInfo& args) { void Copy(const FunctionCallbackInfo &args) { Environment* env = Environment::GetCurrent(args); - Local target = args[0]->ToObject(env->isolate()); - - if (!HasInstance(target)) + if (!HasInstance(args[0])) return env->ThrowTypeError("first arg should be a Buffer"); + Local target = args[0]->ToObject(env->isolate()); + ARGS_THIS(args.This()) size_t target_length = target->GetIndexedPropertiesExternalArrayDataLength(); char* target_data = static_cast( diff --git a/test/parallel/test-buffer.js b/test/parallel/test-buffer.js index 9b16b7b028476a..3cdd862880207a 100644 --- a/test/parallel/test-buffer.js +++ b/test/parallel/test-buffer.js @@ -1179,3 +1179,8 @@ var ps = Buffer.poolSize; Buffer.poolSize = 0; assert.equal(Buffer(1).parent, undefined); Buffer.poolSize = ps; + +// Test Buffer.copy() segfault +assert.throws(function() { + Buffer(10).copy(); +});