buffer: fix range checks for slice()
Checklist
-
make -j8 test
(UNIX), orvcbuild test nosign
(Windows) passes -
tests and/or benchmarks are included -
commit message follows commit guidelines
Affected core subsystem(s)
buffer
Description of change
Using the black magic of Symbol.toPrimitive
the numeric value of
start/end can be changed when Uint32Value()
is called once
Buffer::Fill()
is entered. Allowing the CHECK()
to be bypassed.
The bug report was only for "start", but the same can be done with
"end". Perform checks for both in node::Buffer::Fill()
to make sure the
issue can't be triggered, even if process.binding is used directly.
Include tests for each case. Along with a check to make sure the last
time the value is accessed returns -1
. This should be enough to make
sure Buffer::Fill()
is receiving the correct value. Along with two tests
against process.binding
directly.
Fixes: https://github.com/nodejs/node/issues/9149
R=@nodejs/buffer