From fd6fd78f0fe5d920f96fd82a3c5e5d29bb25836b Mon Sep 17 00:00:00 2001
From: Jarred Sumner <jarred@jarredsumner.com>
Date: Mon, 26 Feb 2024 19:15:28 -0800
Subject: [PATCH] Fixes #9120 (#9128)

* Fixes #9120

* Update buffer.test.js

---------

Co-authored-by: Jarred Sumner <709451+Jarred-Sumner@users.noreply.github.com>
---
 src/bun.js/bindings/JSBuffer.cpp | 16 ++++++++++------
 test/js/node/buffer.test.js      | 26 ++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/src/bun.js/bindings/JSBuffer.cpp b/src/bun.js/bindings/JSBuffer.cpp
index ebffd1a33c..f5929b6452 100644
--- a/src/bun.js/bindings/JSBuffer.cpp
+++ b/src/bun.js/bindings/JSBuffer.cpp
@@ -523,17 +523,19 @@ static inline JSC::EncodedJSValue jsBufferConstructorFunction_allocBody(JSC::JSG
             auto* start = uint8Array->typedVector();
             auto* head = start;
             size_t remain = uint8Array->byteLength();
+            length = std::min(length, remain);
+
             memmove(head, view->vector(), length);
             remain -= length;
             head += length;
-            while (remain >= length) {
-                memcpy(head, start, length);
+            while (remain >= length && length > 0) {
+                memmove(head, start, length);
                 remain -= length;
                 head += length;
                 length <<= 1;
             }
             if (remain > 0) {
-                memcpy(head, start, remain);
+                memmove(head, start, remain);
             }
         } else {
             auto value_ = value.toInt32(lexicalGlobalObject) & 0xFF;
@@ -1202,17 +1204,19 @@ static inline JSC::EncodedJSValue jsBufferPrototypeFunction_fillBody(JSC::JSGlob
             return JSC::JSValue::encode(jsUndefined());
         }
 
+        length = std::min(length, remain);
+
         memmove(head, view->vector(), length);
         remain -= length;
         head += length;
-        while (remain >= length) {
-            memcpy(head, startPtr, length);
+        while (remain >= length && length > 0) {
+            memmove(head, startPtr, length);
             remain -= length;
             head += length;
             length <<= 1;
         }
         if (remain > 0) {
-            memcpy(head, startPtr, remain);
+            memmove(head, startPtr, remain);
         }
     } else {
         auto value_ = value.toInt32(lexicalGlobalObject) & 0xFF;
diff --git a/test/js/node/buffer.test.js b/test/js/node/buffer.test.js
index ee32d73218..a182fddcdb 100644
--- a/test/js/node/buffer.test.js
+++ b/test/js/node/buffer.test.js
@@ -6,6 +6,32 @@ const BufferModule = await import("buffer");
 beforeEach(() => gc());
 afterEach(() => gc());
 
+it("#9120 fill", () => {
+  let abBuf = Buffer.alloc(2, "ab");
+  let x = Buffer.alloc(1);
+  x.fill(abBuf);
+  expect(x.toString()).toBe("a");
+
+  for (let count = 2; count < 10; count += 2) {
+    const full = Buffer.from("a".repeat(count) + "b".repeat(count));
+    const x = Buffer.alloc(count);
+    x.fill(full);
+    expect(x.toString()).toBe("a".repeat(count));
+  }
+});
+
+it("#9120 alloc", () => {
+  let abBuf = Buffer.alloc(2, "ab");
+  let x = Buffer.alloc(1, abBuf);
+  expect(x.toString()).toBe("a");
+
+  for (let count = 2; count < 10; count += 2) {
+    const full = Buffer.from("a".repeat(count) + "b".repeat(count));
+    const x = Buffer.alloc(count, full);
+    expect(x.toString()).toBe("a".repeat(count));
+  }
+});
+
 it("isAscii", () => {
   expect(isAscii(new Buffer("abc"))).toBeTrue();
   expect(isAscii(new Buffer(""))).toBeTrue();