Skip to content

Commit

Permalink
buffer: zero fill Buffer(num) by default
Browse files Browse the repository at this point in the history
PR-URL: #12141
Ref: nodejs/CTC#89
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Prince John Wesley <[email protected]>
Reviewed-By: Evan Lucas <[email protected]>
  • Loading branch information
jasnell committed Apr 3, 2017
1 parent 7b4a72d commit 7eb1b46
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 18 deletions.
36 changes: 19 additions & 17 deletions doc/api/buffer.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,13 +52,16 @@ In versions of Node.js prior to v6, `Buffer` instances were created using the
differently based on what arguments are provided:

* Passing a number as the first argument to `Buffer()` (e.g. `new Buffer(10)`),
allocates a new `Buffer` object of the specified size. The memory allocated
for such `Buffer` instances is *not* initialized and *can contain sensitive
data*. Such `Buffer` instances *must* be initialized *manually* by using either
[`buf.fill(0)`][`buf.fill()`] or by writing to the `Buffer` completely. While
this behavior is *intentional* to improve performance, development experience
has demonstrated that a more explicit distinction is required between creating
a fast-but-uninitialized `Buffer` versus creating a slower-but-safer `Buffer`.
allocates a new `Buffer` object of the specified size. Prior to Node.js 8.0.0,
the memory allocated for such `Buffer` instances is *not* initialized and
*can contain sensitive data*. Such `Buffer` instances *must* be subsequently
initialized by using either [`buf.fill(0)`][`buf.fill()`] or by writing to the
`Buffer` completely. While this behavior is *intentional* to improve
performance, development experience has demonstrated that a more explicit
distinction is required between creating a fast-but-uninitialized `Buffer`
versus creating a slower-but-safer `Buffer`. Starting in Node.js 8.0.0,
`Buffer(num)` and `new Buffer(num)` will return a `Buffer` with initialized
memory.
* Passing a string, array, or `Buffer` as the first argument copies the
passed object's data into the `Buffer`.
* Passing an [`ArrayBuffer`] returns a `Buffer` that shares allocated memory with
Expand Down Expand Up @@ -427,6 +430,9 @@ console.log(buf2.toString());
<!-- YAML
deprecated: v6.0.0
changes:
- version: v8.0.0
pr-url: https://github.com/nodejs/node/pull/12141
description: new Buffer(size) will return zero-filled memory by default.
- version: v7.2.1
pr-url: https://github.com/nodejs/node/pull/9529
description: Calling this constructor no longer emits a deprecation warning.
Expand All @@ -444,21 +450,17 @@ Allocates a new `Buffer` of `size` bytes. If the `size` is larger than
[`buffer.kMaxLength`] or smaller than 0, a [`RangeError`] will be thrown.
A zero-length `Buffer` will be created if `size` is 0.

Unlike [`ArrayBuffers`][`ArrayBuffer`], the underlying memory for `Buffer` instances
created in this way is *not initialized*. The contents of a newly created `Buffer`
are unknown and *could contain sensitive data*. Use
[`Buffer.alloc(size)`][`Buffer.alloc()`] instead to initialize a `Buffer` to zeroes.
Prior to Node.js 8.0.0, the underlying memory for `Buffer` instances
created in this way is *not initialized*. The contents of a newly created
`Buffer` are unknown and *may contain sensitive data*. Use
[`Buffer.alloc(size)`][`Buffer.alloc()`] instead to initialize a `Buffer`
to zeroes.

Example:

```js
const buf = new Buffer(10);

// Prints: (contents may vary): <Buffer 48 21 4b 00 00 00 00 00 30 dd>
console.log(buf);

buf.fill(0);

// Prints: <Buffer 00 00 00 00 00 00 00 00 00 00>
console.log(buf);
```
Expand Down Expand Up @@ -2595,7 +2597,7 @@ Allocates a new `Buffer` of `size` bytes. If the `size` is larger than
A zero-length `Buffer` will be created if `size` is 0.

The underlying memory for `SlowBuffer` instances is *not initialized*. The
contents of a newly created `SlowBuffer` are unknown and could contain
contents of a newly created `SlowBuffer` are unknown and may contain
sensitive data. Use [`buf.fill(0)`][`buf.fill()`] to initialize a `SlowBuffer` to zeroes.

Example:
Expand Down
2 changes: 1 addition & 1 deletion lib/buffer.js
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ function Buffer(arg, encodingOrOffset, length) {
'If encoding is specified then the first argument must be a string'
);
}
return Buffer.allocUnsafe(arg);
return Buffer.alloc(arg);
}
return Buffer.from(arg, encodingOrOffset, length);
}
Expand Down
14 changes: 14 additions & 0 deletions test/parallel/test-buffer-zero-fill.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
'use strict';

require('../common');
const assert = require('assert');
const Buffer = require('buffer').Buffer;

const buf1 = Buffer(100);
const buf2 = new Buffer(100);

for (let n = 0; n < buf1.length; n++)
assert.strictEqual(buf1[n], 0);

for (let n = 0; n < buf2.length; n++)
assert.strictEqual(buf2[n], 0);

0 comments on commit 7eb1b46

Please sign in to comment.