← Back to PRs

#11443: LINE: fix buffer guards in detectContentType + add tests

by MdRahmatUllah open 2026-02-07 20:21 View on GitHub →
stale
## Summary Fixes a bug in `src/line/download.ts` where buffer length guards were insufficient, causing potential out-of-bounds array access when detecting content types from LINE media downloads. ## What was fixed 1. **Added per-format buffer length checks**: Each magic-byte pattern now has its own length guard matching the exact number of bytes it accesses (JPEG: >=2, PNG: >=4, GIF: >=3, WebP: >=12, M4A: >=8, MP4: >=8) 2. **Reordered M4A before MP4**: The M4A check is more specific (requires `0x00 0x00 0x00` prefix + `ftyp`), so it must come before the generic MP4 check to avoid being unreachable (fixes pre-existing dead code) 3. **Added `__testing` export**: Exposed `detectContentType` and `getExtensionForContentType` for unit testing ## Testing - Added 24 new tests in `src/line/download.test.ts`: - 14 tests for `detectContentType` (all 6 formats + 8 edge cases including empty buffers, truncated buffers, and unrecognized bytes) - 10 tests for `getExtensionForContentType` (all 7 known MIME types + 3 fallback cases) - All new tests pass (24/24) - Full test suite: 843 test files pass (8 pre-existing failures unrelated to these changes) - `pnpm lint` and `pnpm format` both pass ## Impact This is a **bug fix** with no user-facing behavior changes. It only prevents potential crashes when processing malformed or truncated media files from LINE. <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR tightens magic-byte detection in `src/line/download.ts` by adding per-format buffer length guards and adding unit tests for `detectContentType` / `getExtensionForContentType` via a `__testing` export. Main concern: the newly added 8–11 byte `ftyp` fallback unconditionally returns `video/mp4`, which can misclassify truncated/partial M4A audio as video and cause incorrect extensions downstream. <h3>Confidence Score: 4/5</h3> - This PR is largely safe to merge, but has one behavior-affecting misclassification edge case worth fixing. - Buffer guard fixes and tests look correct and reduce OOB risk. The remaining issue is the new 8–11 byte `ftyp` fallback that always returns `video/mp4`, which can incorrectly label truncated audio as video and change downstream file extensions. - src/line/download.ts <!-- greptile_other_comments_section --> <sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub> **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13)) <!-- /greptile_comment -->

Most Similar PRs