buffer: ensure zero-fill for Buffer.alloc(size,'')v4.x

This is applicable to v4.x only.

Native Fill method is called from Buffer.alloc and from Buffer#fill,
the second one is not affected by this, as Buffer#fill only calls the
native method on either numbers as the second argument or
non-zero-length strings.

Fixes: https://github.com/nodejs-private/security/issues/192
PR-URL: https://github.com/nodejs-private/node-private/pull/118
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>

2 files changed, 23 insertions, 1 deletions

diff --git a/src/node_buffer.cc b/src/node_buffer.cc
index 11317328a6..2503274446 100644
--- a/src/node_buffer.cc
+++ b/src/node_buffer.cc
@@ -612,8 +612,10 @@ void Fill(const FunctionCallbackInfo<Value>& args) {
   size_t in_there = str_length;
   char* ptr = ts_obj_data + start + str_length;
 
-  if (str_length == 0)
+  if (str_length == 0) {
+    memset(ts_obj_data + start, 0, length);
     return;
+  }
 
   memcpy(ts_obj_data + start, *str, MIN(str_length, length));
 
diff --git a/test/parallel/test-buffer-alloc-is-filled.js b/test/parallel/test-buffer-alloc-is-filled.js
new file mode 100644
index 0000000000..bd6bdb6f29
--- /dev/null
+++ b/test/parallel/test-buffer-alloc-is-filled.js
@@ -0,0 +1,20 @@
+'use strict';
+
+require('../common');
+const assert = require('assert');
+
+for (const fill of [
+  '',
+  [],
+  Buffer.from(''),
+  new Uint8Array(0),
+  { toString: () => '' },
+  { toString: () => '', length: 10 }
+]) {
+  for (let i = 0; i < 50; i++) {
+    const buf = Buffer.alloc(100, fill);
+    assert.strictEqual(buf.length, 100);
+    for (let n = 0; n < buf.length; n++)
+      assert.strictEqual(buf[n], 0);
+  }
+}