Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protobuf check can crash Node with "Fatal JavaScript invalid size error" #80

Open
pmarrapese opened this issue Nov 23, 2024 · 0 comments
Open

Protobuf check can crash Node with "Fatal JavaScript invalid size error" #80

pmarrapese opened this issue Nov 23, 2024 · 0 comments

Comments

@pmarrapese
Copy link

In situations where the Protobuf check runs, Reader.next does not perform any boundary or error checking. This can result in it trying to create an absurdly-sized array & crashing the Node process.

Example code that results in a call to Reader.next with a size of 199229795

const { isBinaryFileSync } = require('isbinaryfile');
let buff = Buffer.from('82ACE2828045E382805FE1828053E7828045E7878045E8838145E2988445E2948545E2828D4CE2828A44E28280418CF7EC2E', 'hex');
let result = isBinaryFileSync(buff);
console.log(result);

Output on isbinaryfile v5.0.4, node v20.18.1

#
# Fatal error in , line 0
# Fatal JavaScript invalid size error 188720663 (see crbug.com/1201626)
#
#
#
#FailureMessage Object: 0x7ffeebf9b110
----- Native stack trace -----

 1: 0xd44db1  [node]
 2: 0x218f121 V8_Fatal(char const*, ...) [node]
 3: 0x10d52e8  [node]
 4: 0x12b3fcf  [node]
 5: 0x12b4157  [node]
 6: 0x152eb76 v8::internal::Runtime_GrowArrayElements(int, unsigned long*, v8::internal::Isolate*) [node]
 7: 0x7d2afbed9ef6
Trace/breakpoint trap (core dumped)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pmarrapese