From 0276e9e82cbdfa1d20a873a9552eb18b0f8fe2b7 Mon Sep 17 00:00:00 2001
From: "Sakthipriyan Vairamani (thefourtheye)" <thechargingvolcano@gmail.com>
Date: Sat, 15 Oct 2016 00:51:46 +0530
Subject: [PATCH] buffer: coerce slice parameters consistently
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As shown in https://github.com/nodejs/node/issues/9096, the offset and
end value of the `slice` call are coerced to numbers and then passed to
`FastBuffer`, which internally truncates the mantissa part if the number
is actually a floating point number. This actually affects the new
length of the slice calculation. For example,

    > const original = Buffer.from('abcd');
    undefined
    > original.slice(original.length / 3).toString()
    'bc'

This happens because, starting value of the slice is 4 / 3, which is
1.33 (approximately). Now, the length of the slice is calculated as
the difference between the actual length of the buffer and the starting
offset. So, it becomes 2.67 (4 - 1.33). Now, a new `FastBuffer` is
constructed, with the following values as parameters,

 1. actual buffer object,
 2. starting value, which is 1.33 and
 3. the length 2.67.

The underlying C++ code truncates the numbers and they become 1 and 2.
That is why the result is just `bc`.

This patch makes sure that all the offsets are coerced to integers
before any calculations are done.

Fixes: https://github.com/nodejs/node/issues/9096
PR-URL: https://github.com/nodejs/node/pull/9101
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
---
 lib/buffer.js                      |  7 +++----
 test/parallel/test-buffer-slice.js | 10 ++++++++++
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/lib/buffer.js b/lib/buffer.js
index f4dfba860f..942fc35071 100644
--- a/lib/buffer.js
+++ b/lib/buffer.js
@@ -789,11 +789,10 @@ Buffer.prototype.toJSON = function() {
 
 
 function adjustOffset(offset, length) {
-  offset = +offset;
-  if (offset === 0 || Number.isNaN(offset)) {
+  offset |= 0;
+  if (offset === 0) {
     return 0;
-  }
-  if (offset < 0) {
+  } else if (offset < 0) {
     offset += length;
     return offset > 0 ? offset : 0;
   } else {
diff --git a/test/parallel/test-buffer-slice.js b/test/parallel/test-buffer-slice.js
index 133d056b17..e5b598e625 100644
--- a/test/parallel/test-buffer-slice.js
+++ b/test/parallel/test-buffer-slice.js
@@ -62,3 +62,13 @@ assert.strictEqual(Buffer.alloc(0).slice(0, 1).length, 0);
 
 // slice(0,0).length === 0
 assert.strictEqual(0, Buffer.from('hello').slice(0, 0).length);
+
+{
+  // Regression tests for https://github.com/nodejs/node/issues/9096
+  const buf = Buffer.from('abcd');
+  assert.strictEqual(buf.slice(buf.length / 3).toString(), 'bcd');
+  assert.strictEqual(
+    buf.slice(buf.length / 3, buf.length).toString(),
+    'bcd'
+  );
+}