add test for spoofed length getter in concat

mertcanaltin · mertcanaltin · commit 48483056c716 · 2026-02-10T18:45:23.000+03:00
diff --git a/lib/buffer.js b/lib/buffer.js
@@ -51,6 +51,7 @@ const {
   TypedArrayPrototypeGetLength,
   TypedArrayPrototypeSet,
   TypedArrayPrototypeSlice,
+  TypedArrayPrototypeSubarray,
   Uint8Array,
 } = primordials;
 
@@ -656,7 +657,7 @@ Buffer.concat = function concat(list, length) {
     const bufLength = TypedArrayPrototypeGetByteLength(buf);
     if (pos + bufLength > length) {
       TypedArrayPrototypeSet(buffer,
-                             TypedArrayPrototypeSlice(buf, 0, length - pos),
+                             TypedArrayPrototypeSubarray(buf, 0, length - pos),
                              pos);
       pos = length;
       break;
diff --git a/test/parallel/test-buffer-concat.js b/test/parallel/test-buffer-concat.js
@@ -122,3 +122,13 @@ assert.deepStrictEqual(
 assert.deepStrictEqual(Buffer.concat([new Uint8Array([0x41, 0x42]),
                                       new Uint8Array([0x43, 0x44])]),
                        Buffer.from('ABCD'));
+
+// Spoofed length getter should not cause uninitialized memory exposure
+{
+  const u8_1 = new Uint8Array([1, 2, 3, 4]);
+  const u8_2 = new Uint8Array([5, 6, 7, 8]);
+  Object.defineProperty(u8_1, 'length', { get() { return 100; } });
+  const buf = Buffer.concat([u8_1, u8_2]);
+  assert.strictEqual(buf.length, 8);
+  assert.deepStrictEqual(buf, Buffer.from([1, 2, 3, 4, 5, 6, 7, 8]));
+}
