lib: fix max size check in Buffer constructor

A number -> uint32 type coercion bug made buffer sizes
larger than kMaxLength (0x3fffffff) wrap around.

Instead of rejecting the requested size with an exception,
the constructor created a buffer with the wrong size.

PR-URL: https://github.com/iojs/io.js/pull/657
Reviewed-By: Trevor Norris <trev.norris@gmail.com>

1 files changed, 7 insertions, 3 deletions

diff --git a/lib/buffer.js b/lib/buffer.js
index 2e29ae4eb..e5588963d 100644
--- a/lib/buffer.js
+++ b/lib/buffer.js
@@ -50,7 +50,7 @@ function Buffer(subject, encoding) {
     return new Buffer(subject, encoding);
 
   if (util.isNumber(subject)) {
-    this.length = subject > 0 ? subject >>> 0 : 0;
+    this.length = +subject;
 
   } else if (util.isString(subject)) {
     if (!util.isString(encoding) || encoding.length === 0)
@@ -61,8 +61,7 @@ function Buffer(subject, encoding) {
   } else if (util.isObject(subject)) {
     if (subject.type === 'Buffer' && util.isArray(subject.data))
       subject = subject.data;
-    // Must use floor() because array length may be > kMaxLength.
-    this.length = +subject.length > 0 ? Math.floor(+subject.length) : 0;
+    this.length = +subject.length;
 
   } else {
     throw new TypeError('must start with number, buffer, array or string');
@@ -73,6 +72,11 @@ function Buffer(subject, encoding) {
                          'size: 0x' + kMaxLength.toString(16) + ' bytes');
   }
 
+  if (this.length < 0)
+    this.length = 0;
+  else
+    this.length >>>= 0;  // Coerce to uint32.
+
   this.parent = undefined;
   if (this.length <= (Buffer.poolSize >>> 1) && this.length > 0) {
     if (this.length > poolSize - poolOffset)