buffer: fix copy() segfault with zero arguments
Buffer#copy() immediately does a ToObject() on the first argument before it checks if it's even an Object. This causes Object::HasIndexedPropertiesInExternalArrayData() to be run on nothing, triggering the segfault. Instead run HasInstance() on the args Value. Which will check if it's actually an Object, before checking if it contains data. Fixes: https://github.com/iojs/io.js/issues/1519 PR-URL: https://github.com/iojs/io.js/pull/1520 Reviewed-by: Evan Lucas <evanlucas@me.com>
This commit is contained in:
Родитель
2f6986ee46
Коммит
5404cbc745
|
@ -303,11 +303,11 @@ void Base64Slice(const FunctionCallbackInfo<Value>& args) {
|
|||
void Copy(const FunctionCallbackInfo<Value> &args) {
|
||||
Environment* env = Environment::GetCurrent(args);
|
||||
|
||||
Local<Object> target = args[0]->ToObject(env->isolate());
|
||||
|
||||
if (!HasInstance(target))
|
||||
if (!HasInstance(args[0]))
|
||||
return env->ThrowTypeError("first arg should be a Buffer");
|
||||
|
||||
Local<Object> target = args[0]->ToObject(env->isolate());
|
||||
|
||||
ARGS_THIS(args.This())
|
||||
size_t target_length = target->GetIndexedPropertiesExternalArrayDataLength();
|
||||
char* target_data = static_cast<char*>(
|
||||
|
|
|
@ -1179,3 +1179,8 @@ var ps = Buffer.poolSize;
|
|||
Buffer.poolSize = 0;
|
||||
assert.equal(Buffer(1).parent, undefined);
|
||||
Buffer.poolSize = ps;
|
||||
|
||||
// Test Buffer.copy() segfault
|
||||
assert.throws(function() {
|
||||
Buffer(10).copy();
|
||||
});
|
||||
|
|
Загрузка…
Ссылка в новой задаче