buffer: prevent abort on bad proto

If an object's prototype is munged it's possible to bypass the
instanceof check and cause the application to abort. Instead now use
HasInstance() to verify that the object is a Buffer, and throw if not.

This check will not work for JS only methods. So while the application
won't abort, it also won't throw.

In order to properly throw in all cases with toString() the JS
optimization of checking that length is zero has been removed. In its
place the native methods will now return early if a zero length string
is detected.

Ref: nodejs#1486
Ref: nodejs#1922
Fixes: nodejs#1485
PR-URL: nodejs#2012
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

Author: trevnorris

test/parallel/test-buffer-fakes.js

@@ -0,0 +1,56 @@
+'use strict';
+
+const common = require('../common');
+const assert = require('assert');
+const Buffer = require('buffer').Buffer;
+const Bp = Buffer.prototype;
+
+function FakeBuffer() { }
+FakeBuffer.__proto__ = Buffer;
+FakeBuffer.prototype.__proto__ = Buffer.prototype;
+
+const fb = new FakeBuffer();
+
+assert.throws(function() {
+  new Buffer(fb);
+}, TypeError);
+
+assert.throws(function() {
+  +Buffer.prototype;
+}, TypeError);
+
+assert.throws(function() {
+  Buffer.compare(fb, new Buffer(0));
+}, TypeError);
+
+assert.throws(function() {
+  fb.write('foo');
+}, TypeError);
+
+assert.throws(function() {
+  Buffer.concat([fb, fb]);
+}, TypeError);
+
+assert.throws(function() {
+  fb.toString();
+}, TypeError);
+
+assert.throws(function() {
+  fb.equals(new Buffer(0));
+}, TypeError);
+
+assert.throws(function() {
+  fb.indexOf(5);
+}, TypeError);
+
+assert.throws(function() {
+  fb.readFloatLE(0);
+}, TypeError);
+
+assert.throws(function() {
+  fb.writeFloatLE(0);
+}, TypeError);
+
+assert.throws(function() {
+  fb.fill(0);
+}, TypeError);