Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fs.stat crash program on invalid string #55914

Closed
AjaniBilby opened this issue Nov 19, 2024 · 2 comments · Fixed by libuv/libuv#4609
Closed

fs.stat crash program on invalid string #55914

AjaniBilby opened this issue Nov 19, 2024 · 2 comments · Fixed by libuv/libuv#4609
Labels
libuv Issues and PRs related to the libuv dependency or the uv binding. windows Issues and PRs related to the Windows platform.

Comments

@AjaniBilby
Copy link

AjaniBilby commented Nov 19, 2024
edited
Loading

Version

v22.2.0

Platform

Microsoft Windows NT 10.0.22631.0 x64

Subsystem

No response

What steps will reproduce the bug?

This will crash the entire program not even recoverable with a try statement

import fs from "fs";
fs.stat("ᜄȺy𐞲:𞢢𘴇𐀀'¥3̞[<i$", function onstat (err, stat) {
	console.log("unreachable");
});

logs:

Assertion failed: w_target_len == 0, file c:\ws\deps\uv\src\idna.c, line 408

How often does it reproduce? Is there a required condition?

I think this might be windows only based on the libuv source

What is the expected behavior? Why is that the expected behavior?

Throw an error/call the actual callback with the error.

What do you see instead?

The entire program crashes

Additional information

I discovered this by performing a fuzz test on my remix.js site which uses express.js which uses fs.stat.
This can take down a production server no matter their routes with just a HTTP GET request as long as they have express.static or similar behaviour for static file serving.

See remix-run/remix#10241
@AjaniBilby AjaniBilby mentioned this issue Nov 19, 2024
Closed
@juanarbol juanarbol added windows Issues and PRs related to the Windows platform. libuv Issues and PRs related to the libuv dependency or the uv binding. labels Nov 19, 2024
@juanarbol
Copy link
Member

Ping @nodejs/libuv

bnoordhuis added a commit to bnoordhuis/libuv that referenced this issue Nov 19, 2024
@bnoordhuis
unix,win: fix off-by-one in uv_wtf8_to_utf16()
5889d05 
uv_wtf8_length_as_utf16() checks if codepoints are > 0xFFFF (to see if
it should be encoded as a surrogate pair), therefore uv_wtf8_to_utf16()
should too. Instead it checked > 0x1000. Harmonize the checks.

Fixes: nodejs/node#55914
@bnoordhuis bnoordhuis mentioned this issue Nov 19, 2024
Merged
@bnoordhuis
Copy link
Member

bnoordhuis commented Nov 19, 2024
edited
Loading

Off-by-one error, fix in libuv/libuv#4609. I should check if more wtf8 functions have that issue but I don't have time right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
libuv Issues and PRs related to the libuv dependency or the uv binding. windows Issues and PRs related to the Windows platform.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

unix,win: fix off-by-one in uv_wtf8_to_utf16() bnoordhuis/libuv
3 participants
@bnoordhuis @AjaniBilby @juanarbol