-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"deserializer.readDouble()" results in an abort #37978
Labels
Comments
Hey there ! 😄 I wanted to suggest a fix I'm not really sure about all the conventions |
I can reproduce on master. |
lazyparser
pushed a commit
to riscv-collab/v8
that referenced
this issue
Apr 6, 2021
If end_ is smaller than sizeof(double), the result would wrap around, and lead to an invalid memory access. Refs: nodejs/node#37978 Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353 Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#73800}
Should this remain open anymore? The fix for this seems to have landed already in v8 at https://chromium-review.googlesource.com/c/v8/v8/+/2801353. |
I plan to open a PR to bring that commit into Node later today. |
cjihrig
added a commit
to cjihrig/node
that referenced
this issue
Apr 7, 2021
Original commit message: Fix ValueDeserializer::ReadDouble() bounds check If end_ is smaller than sizeof(double), the result would wrap around, and lead to an invalid memory access. Refs: nodejs#37978 Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353 Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#73800} Refs: v8/v8@501482cbc704 Fixes: nodejs#37978
cjihrig
added a commit
to cjihrig/node
that referenced
this issue
Apr 8, 2021
Original commit message: Fix ValueDeserializer::ReadDouble() bounds check If end_ is smaller than sizeof(double), the result would wrap around, and lead to an invalid memory access. Refs: nodejs#37978 Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353 Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#73800} Refs: v8/v8@501482cbc704 Fixes: nodejs#37978
cjihrig
added a commit
to cjihrig/node
that referenced
this issue
Apr 8, 2021
cjihrig
added a commit
to cjihrig/node
that referenced
this issue
Apr 9, 2021
Refs: nodejs#37978 PR-URL: nodejs#38121 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com>
targos
pushed a commit
that referenced
this issue
May 1, 2021
Original commit message: Fix ValueDeserializer::ReadDouble() bounds check If end_ is smaller than sizeof(double), the result would wrap around, and lead to an invalid memory access. Refs: #37978 Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353 Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#73800} PR-URL: #38121 Fixes: #37978 Refs: v8/v8@501482cbc704 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com>
danielleadams
pushed a commit
that referenced
this issue
May 8, 2021
Original commit message: Fix ValueDeserializer::ReadDouble() bounds check If end_ is smaller than sizeof(double), the result would wrap around, and lead to an invalid memory access. Refs: #37978 Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353 Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#73800} PR-URL: #38121 Fixes: #37978 Refs: v8/v8@501482cbc704 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
What steps will reproduce the bug?
Setup a node instance,
and run the following javascript code.
Then an abort occurs.
How often does it reproduce? Is there a required condition?
This abort can always be triggered following the steps above.
What is the expected behavior?
If any error occurs, an exception or other similar error-reporting stuff should be thrown. There is no reason to abort the whole node process.
What do you see instead?
Additional information
The text was updated successfully, but these errors were encountered: