File: to-string_numbers.patch

package info (click to toggle)
node-concat-stream 1.5.1-2
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 164 kB
  • ctags: 27
  • sloc: makefile: 2; sh: 2
file content (81 lines) | stat: -rw-r--r-- 2,548 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
Description: to-string numbers written to the stream
 Node-concat-stream is vulnerable to Uninitialized Memory Exposure. This
 possible memory disclosure vulnerability exists when a value of type number
 is provided to the stringConcat() method and results in concatination of
 uninitialized memory to the stream collection.
 This is a result of unobstructed use of the Buffer constructor, whose
 insecure default constructor increases the odds of memory leakage.
 See https://snyk.io/vuln/npm:concat-stream:20160901 for further details.
Origin: upstream, https://github.com/maxogden/concat-stream/
Bug: https://github.com/maxogden/concat-stream/issues/55
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863481
Applied-Upstream: https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e
Last-Update: 2017-05-28
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- node-concat-stream.orig/index.js
+++ node-concat-stream/index.js
@@ -73,6 +73,10 @@
   return /Array\]$/.test(Object.prototype.toString.call(arr))
 }
 
+function isBufferish (p) {
+  return typeof p === 'string' || isArrayish(p) || (p && typeof p.subarray === 'function')
+}
+
 function stringConcat (parts) {
   var strings = []
   var needsToString = false
@@ -82,8 +86,10 @@
       strings.push(p)
     } else if (Buffer.isBuffer(p)) {
       strings.push(p)
-    } else {
+    } else if (isBufferish(p)) {
       strings.push(Buffer(p))
+    } else {
+      strings.push(Buffer(String(p)))
     }
   }
   if (Buffer.isBuffer(parts[0])) {
@@ -101,10 +107,11 @@
     var p = parts[i]
     if (Buffer.isBuffer(p)) {
       bufs.push(p)
-    } else if (typeof p === 'string' || isArrayish(p)
-    || (p && typeof p.subarray === 'function')) {
+    } else if (isBufferish(p)) {
       bufs.push(Buffer(p))
-    } else bufs.push(Buffer(String(p)))
+    } else {
+      bufs.push(Buffer(String(p)))
+    }
   }
   return Buffer.concat(bufs)
 }
--- node-concat-stream.orig/test/string.js
+++ node-concat-stream/test/string.js
@@ -58,7 +58,7 @@
   var snowman = new Buffer('☃')
   for (var i = 0; i < 8; i++) {
     strings.write(snowman.slice(0, 1))
-    strings.write(snowman.slice(1))    
+    strings.write(snowman.slice(1))
   }
   strings.end()
 })
@@ -74,3 +74,14 @@
   strings.write("dogs")
   strings.end()
 })
+
+test('to string numbers', function (t) {
+  var write = concat(function (str) {
+    t.equal(str, 'a1000')
+    t.end()
+  })
+
+  write.write('a')
+  write.write(1000)
+  write.end()
+})