buffer: zero-fill uninitialized bytes in .concat()

This makes sure that no uninitialized bytes are leaked when the specified
`totalLength` input value is greater than the actual total length of the
specified buffers array, e.g. in Buffer.concat([Buffer.alloc(0)], 100).

PR-URL: nodejs-private/node-private#66
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Anna Henningsen <anna@addaleax.net>

lib/buffer.js

@@ -216,6 +216,14 @@ Buffer.concat = function(list, length) {
     pos += buf.length;
   }
 
+  // Note: `length` is always equal to `buffer.length` at this point
+  if (pos < length) {
+    // Zero-fill the remaining bytes if the specified `length` was more than
+    // the actual total length, i.e. if we have some remaining allocated bytes
+    // there were not initialized.
+    buffer.fill(0, pos, length);
+  }
+
   return buffer;
 };
 

test/simple/test-buffer-concat.js

@@ -38,4 +38,22 @@ assert(flatOne === one[0]);
 assert(flatLong.toString() === (new Array(10+1).join('asdf')));
 assert(flatLongLen.toString() === (new Array(10+1).join('asdf')));
 
+var ones = new Buffer(10).fill('1');
+var empty = new Buffer(0);
+
+assert.equal(Buffer.concat([], 100).toString(), '');
+assert.equal(Buffer.concat([ones], 0).toString(), ones.toString()); // 0.12.x
+assert.equal(Buffer.concat([ones], 10).toString(), ones.toString());
+assert.equal(Buffer.concat([ones, ones], 10).toString(), ones.toString());
+assert.equal(Buffer.concat([empty, ones]).toString(), ones.toString());
+assert.equal(Buffer.concat([ones, empty, empty]).toString(), ones.toString());
+
+// The tail should be zero-filled
+assert.equal(
+    Buffer.concat([empty, empty], 100).toString(),
+    new Buffer(100).fill(0).toString());
+assert.equal(
+    Buffer.concat([empty, ones], 40).toString(),
+    Buffer.concat([ones, new Buffer(30).fill(0)]).toString());
+
 console.log("ok");