From 408083d4cd936be635f8e23094f574dc28e566e1 Mon Sep 17 00:00:00 2001 From: Feross Aboukhadijeh <4247785+itu2n1i8w@users.noreply.github.com> Date: Mon, 9 Feb 2015 18:16:10 -0800 Subject: [PATCH] fix max size check in Buffer constructor Copied from https://github.com/iojs/io.js/pull/657 --- index.js | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index ae4b521..78f74f2 100644 --- a/index.js +++ b/index.js @@ -73,13 +73,13 @@ function Buffer (subject, encoding, noZero) { // Find the length var length if (type === 'number') - length = subject > 0 ? subject >>> 0 : 0 + length = +subject else if (type === 'string') { length = Buffer.byteLength(subject, encoding) } else if (type === 'object' && subject !== null) { // assume object is array-like if (subject.type === 'Buffer' && isArray(subject.data)) subject = subject.data - length = +subject.length > 0 ? Math.floor(+subject.length) : 0 + length = +subject.length } else { throw new TypeError('must start with number, buffer, array or string') } @@ -88,6 +88,11 @@ function Buffer (subject, encoding, noZero) { throw new RangeError('Attempt to allocate Buffer larger than maximum ' + 'size: 0x' + kMaxLength.toString(16) + ' bytes') + if (length < 0) + length = 0 + else + length >>>= 0 // Coerce to uint32. + var self = this if (Buffer.TYPED_ARRAY_SUPPORT) { // Preferred: Return an augmented `Uint8Array` instance for best performance