From 436f117cb1e3ac049999b5fbd2eed06a4edb356f Mon Sep 17 00:00:00 2001
From: "Artem S. Povalyukhin" <artem.povaluhin@gmail.com>
Date: Sat, 25 Dec 2021 22:45:30 +0300
Subject: [PATCH] Fixed information leak in Buffer.from().

This closes #446 on Github.
---
 src/njs_buffer.c         | 23 +++--------------------
 src/test/njs_unit_test.c |  8 ++++++++
 2 files changed, 11 insertions(+), 20 deletions(-)

diff --git a/src/njs_buffer.c b/src/njs_buffer.c
index 13182854..1f52603b 100644
--- a/src/njs_buffer.c
+++ b/src/njs_buffer.c
@@ -339,8 +339,7 @@ njs_buffer_from_object(njs_vm_t *vm, njs_value_t *value)
     uint32_t           i;
     njs_str_t          str;
     njs_int_t          ret;
-    njs_array_t        *array;
-    njs_value_t        retval, length;
+    njs_value_t        data, retval, length;
     njs_typed_array_t  *buffer;
 
     static const njs_value_t  string_length = njs_string("length");
@@ -379,7 +378,8 @@ next:
         }
 
         if (njs_is_object(&retval)) {
-            value = &retval;
+            njs_value_assign(&data, &retval);
+            value = &data;
             goto next;
         }
 
@@ -398,23 +398,6 @@ next:
 
     p = njs_typed_array_buffer(buffer)->u.u8;
 
-    if (njs_is_fast_array(value)) {
-        array = njs_array(value);
-
-        for (i = 0; i < array->length; i++) {
-            ret = njs_value_to_number(vm, &array->start[i], &num);
-            if (njs_slow_path(ret != NJS_OK)) {
-                return ret;
-            }
-
-            *p++ = njs_number_to_int32(num);
-        }
-
-        njs_set_typed_array(&vm->retval, buffer);
-
-        return NJS_OK;
-    }
-
     for (i = 0; i < len; i++) {
         ret = njs_value_property_i64(vm, value, i, &retval);
         if (njs_slow_path(ret == NJS_ERROR)) {
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index ba3c6960..c9ba7b8c 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -19926,6 +19926,14 @@ static njs_unit_test_t  njs_buffer_module_test[] =
     { njs_str("Buffer.from({ type: 'Buffer', get data() { throw new Error('test'); } })"),
       njs_str("Error: test") },
 
+    { njs_str("var a = [1,2,3,4]; a[1] = { valueOf() { a.length = 3; return 1; } };"
+              "njs.dump(Buffer.from(a))"),
+      njs_str("Buffer [1,1,3,0]") },
+
+    { njs_str("var a = [1,2,3,4]; a[1] = { valueOf() { a.length = 4096; a.fill(13); return 1; } };"
+              "njs.dump(Buffer.from(a))"),
+      njs_str("Buffer [1,1,13,13]") },
+
     { njs_str("["
              " ['6576696c', 'hex'],"
              " ['ZXZpbA==', 'base64'],"
-- 
2.47.3