From 0767c2feb1cb6921acd18be3392d331e093b2b4c Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Thu, 29 Jan 2015 20:57:54 +0100
Subject: [PATCH] lib: fix max size check in Buffer constructor

A number -> uint32 type coercion bug made buffer sizes
larger than kMaxLength (0x3fffffff) wrap around.

Instead of rejecting the requested size with an exception,
the constructor created a buffer with the wrong size.

PR-URL: https://github.com/iojs/io.js/pull/657
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
---
 lib/buffer.js                | 10 +++++++---
 test/parallel/test-buffer.js |  3 +++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/buffer.js b/lib/buffer.js
index 4c87726d57..41de85e673 100644
--- a/lib/buffer.js
+++ b/lib/buffer.js
@@ -31,7 +31,7 @@ function Buffer(subject, encoding) {
     return new Buffer(subject, encoding);
 
   if (util.isNumber(subject)) {
-    this.length = subject > 0 ? subject >>> 0 : 0;
+    this.length = +subject;
 
   } else if (util.isString(subject)) {
     if (!util.isString(encoding) || encoding.length === 0)
@@ -42,8 +42,7 @@ function Buffer(subject, encoding) {
   } else if (util.isObject(subject)) {
     if (subject.type === 'Buffer' && util.isArray(subject.data))
       subject = subject.data;
-    // Must use floor() because array length may be > kMaxLength.
-    this.length = +subject.length > 0 ? Math.floor(+subject.length) : 0;
+    this.length = +subject.length;
 
   } else {
     throw new TypeError('must start with number, buffer, array or string');
@@ -54,6 +53,11 @@ function Buffer(subject, encoding) {
                          'size: 0x' + kMaxLength.toString(16) + ' bytes');
   }
 
+  if (this.length < 0)
+    this.length = 0;
+  else
+    this.length >>>= 0;  // Coerce to uint32.
+
   this.parent = undefined;
   if (this.length <= (Buffer.poolSize >>> 1) && this.length > 0) {
     if (this.length > poolSize - poolOffset)
diff --git a/test/parallel/test-buffer.js b/test/parallel/test-buffer.js
index 1188c1f019..3c25b8e3c3 100644
--- a/test/parallel/test-buffer.js
+++ b/test/parallel/test-buffer.js
@@ -1163,3 +1163,6 @@ assert.throws(function() {
   var b = new Buffer(1);
   b.equals('abc');
 });
+
+// Regression test for https://github.com/iojs/io.js/issues/649.
+assert.throws(function() { Buffer(1422561062959).toString('utf8'); });