diff --git a/.travis.yml b/.travis.yml
index 373bb4a..a349506 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,15 +1,12 @@
 sudo: false
 language: node_js
 node_js:
-  - '0.10'
-  - '0.12'
-  - '4'
   - '6'
   - '8'
-  - '9'
-branches:
-  only:
-    - master
+  - '10'
+  - '12'
+  - '14'
+  - lts/*
 notifications:
   email:
     - rod@vagg.org
diff --git a/bl.js b/bl.js
index db536f3..0c8de18 100644
--- a/bl.js
+++ b/bl.js
@@ -173,18 +173,22 @@ BufferList.prototype.copy = function copy (dst, dstStart, srcStart, srcEnd) {
 
     if (bytes > l) {
       this._bufs[i].copy(dst, bufoff, start)
+      bufoff += l
     } else {
       this._bufs[i].copy(dst, bufoff, start, start + bytes)
+      bufoff += l
       break
     }
 
-    bufoff += l
     bytes -= l
 
     if (start)
       start = 0
   }
 
+  // safeguard so that we don't return uninitialized memory
+  if (dst.length > bufoff) return dst.slice(0, bufoff)
+
   return dst
 }
 
@@ -217,6 +221,11 @@ BufferList.prototype.toString = function toString (encoding, start, end) {
 }
 
 BufferList.prototype.consume = function consume (bytes) {
+  // first, normalize the argument, in accordance with how Buffer does it
+  bytes = Math.trunc(bytes)
+  // do nothing if not a positive number
+  if (Number.isNaN(bytes) || bytes <= 0) return this
+
   while (this._bufs.length) {
     if (bytes >= this._bufs[0].length) {
       bytes -= this._bufs[0].length
diff --git a/package.json b/package.json
index 3f050ca..1ffd252 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "bl",
-  "version": "1.2.2",
+  "version": "1.2.3",
   "description": "Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!",
   "main": "bl.js",
   "scripts": {
diff --git a/test/test.js b/test/test.js
index e121487..dac1861 100644
--- a/test/test.js
+++ b/test/test.js
@@ -381,6 +381,22 @@ tape('test toString encoding', function (t) {
   t.end()
 })
 
+tape('uninitialized memory', function (t) {
+  const secret = crypto.randomBytes(256)
+  for (let i = 0; i < 1e6; i++) {
+    const clone = Buffer.from(secret)
+    const bl = new BufferList()
+    bl.append(Buffer.from('a'))
+    bl.consume(-1024)
+    const buf = bl.slice(1)
+    if (buf.indexOf(clone) !== -1) {
+      t.fail(`Match (at ${i})`)
+      break
+    }
+  }
+  t.end()
+})
+
 !process.browser && tape('test stream', function (t) {
   var random = crypto.randomBytes(65534)
     , rndhash = hash(random, 'md5')