From 5279e0e800ef0812b108a75afb460e96f0fc0f98 Mon Sep 17 00:00:00 2001
From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Fri, 17 Sep 2021 18:29:40 +0000
Subject: [PATCH] Fixed njs_buffer_slot().

Previously, njs_buffer_slot() might return NULL value without setting
corresponding exception where user code expects it.

In addition the function is split into two functions.  The internal one
does not set anything to vm->retval.  This function has to be used by
property handlers, because they are expected not to modify vm->retval.
---
 src/njs_buffer.c         | 38 ++++++++++++++++++++++----------------
 src/test/njs_unit_test.c |  6 ++++++
 2 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/src/njs_buffer.c b/src/njs_buffer.c
index 86a0b93b..2c47657c 100644
--- a/src/njs_buffer.c
+++ b/src/njs_buffer.c
@@ -572,30 +572,36 @@ njs_buffer_byte_length(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs,
 
 
 static njs_typed_array_t *
-njs_buffer_slot(njs_vm_t *vm, njs_value_t *value, const char *name)
+njs_buffer_slot_internal(njs_vm_t *vm, njs_value_t *value)
 {
     njs_typed_array_t  *array;
 
-    if (njs_slow_path(!njs_is_object(value))) {
-        goto failed;
+    if (njs_is_object(value)) {
+        array = njs_object_proto_lookup(njs_object(value), NJS_TYPED_ARRAY,
+                                        njs_typed_array_t);
+
+        if (array != NULL && array->type == NJS_OBJ_TYPE_UINT8_ARRAY) {
+            return array;
+        }
     }
 
-    array = njs_object_proto_lookup(njs_object(value), NJS_TYPED_ARRAY,
-                                    njs_typed_array_t);
+    return NULL;
+}
 
-    if (njs_slow_path(array != NULL
-                      && array->type != NJS_OBJ_TYPE_UINT8_ARRAY))
-    {
-        goto failed;
-    }
 
-    return array;
+static njs_typed_array_t *
+njs_buffer_slot(njs_vm_t *vm, njs_value_t *value, const char *name)
+{
+    njs_typed_array_t  *array;
 
-failed:
+    array = njs_buffer_slot_internal(vm, value);
+    if (njs_slow_path(array == NULL)) {
+        njs_type_error(vm, "\"%s\" argument must be an instance "
+                           "of Buffer or Uint8Array", name);
+        return NULL;
+    }
 
-    njs_type_error(vm, "\"%s\" argument must be an instance "
-                       "of Buffer or Uint8Array", name);
-    return NULL;
+    return array;
 }
 
 
@@ -902,7 +908,7 @@ njs_buffer_prototype_length(njs_vm_t *vm, njs_object_prop_t *prop,
 {
     njs_typed_array_t  *array;
 
-    array = njs_buffer_slot(vm, value, "this");
+    array = njs_buffer_slot_internal(vm, value);
     if (njs_slow_path(array == NULL)) {
         njs_set_undefined(retval);
         return NJS_DECLINED;
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index 5dd2318c..72d01817 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -19538,6 +19538,12 @@ static njs_unit_test_t  njs_test[] =
               "})"),
       njs_str("true") },
 
+    { njs_str("Buffer.from([1,2]).equals(new ArrayBuffer(1))"),
+      njs_str("TypeError: \"target\" argument must be an instance of Buffer or Uint8Array") },
+
+    { njs_str("Buffer.from([1,2]).equals(1)"),
+      njs_str("TypeError: \"target\" argument must be an instance of Buffer or Uint8Array") },
+
     { njs_str("var buf = Buffer.alloc(4);"
               "buf.fill('ZXZpbA==', 'base64')"),
       njs_str("evil") },
-- 
2.47.3