Browse Source

fs: don't segfault on deeply recursive stat()

Check that the calls to Integer::New() and Date::New() succeed and bail out if
they don't.

V8 returns an empty handle on stack overflow. Trying to set the empty handle as
a property on an object results in a NULL pointer dereference in release builds
and an assert in debug builds.

Fixes #4015.
v0.8.11-release
Ben Noordhuis 12 years ago
parent
commit
07804c7c9a
  1. 83
      src/node_file.cc
  2. 7
      test/fixtures/test-regress-GH-4015.js
  3. 33
      test/simple/test-regress-GH-4015.js

83
src/node_file.cc

@ -301,46 +301,49 @@ Local<Object> BuildStatsObject(const uv_statbuf_t* s) {
Local<Object> stats =
stats_constructor_template->GetFunction()->NewInstance();
/* ID of device containing file */
stats->Set(dev_symbol, Integer::New(s->st_dev));
/* inode number */
stats->Set(ino_symbol, Integer::New(s->st_ino));
/* protection */
stats->Set(mode_symbol, Integer::New(s->st_mode));
/* number of hard links */
stats->Set(nlink_symbol, Integer::New(s->st_nlink));
/* user ID of owner */
stats->Set(uid_symbol, Integer::New(s->st_uid));
/* group ID of owner */
stats->Set(gid_symbol, Integer::New(s->st_gid));
/* device ID (if special file) */
stats->Set(rdev_symbol, Integer::New(s->st_rdev));
/* total size, in bytes */
stats->Set(size_symbol, Number::New(s->st_size));
#ifdef __POSIX__
/* blocksize for filesystem I/O */
stats->Set(blksize_symbol, Integer::New(s->st_blksize));
/* number of blocks allocated */
stats->Set(blocks_symbol, Integer::New(s->st_blocks));
#endif
/* time of last access */
stats->Set(atime_symbol, NODE_UNIXTIME_V8(s->st_atime));
/* time of last modification */
stats->Set(mtime_symbol, NODE_UNIXTIME_V8(s->st_mtime));
/* time of last status change */
stats->Set(ctime_symbol, NODE_UNIXTIME_V8(s->st_ctime));
if (stats.IsEmpty()) return Local<Object>();
// The code below is very nasty-looking but it prevents a segmentation fault
// when people run JS code like the snippet below. It's apparently more
// common than you would expect, several people have reported this crash...
//
// function crash() {
// fs.statSync('.');
// crash();
// }
//
// We need to check the return value of Integer::New() and Date::New()
// and make sure that we bail out when V8 returns an empty handle.
#define X(name) \
{ \
Local<Value> val = Integer::New(s->st_##name); \
if (val.IsEmpty()) return Local<Object>(); \
stats->Set(name##_symbol, val); \
}
X(dev)
X(ino)
X(mode)
X(nlink)
X(uid)
X(gid)
X(rdev)
X(size)
# if defined(__POSIX__)
X(blksize)
X(blocks)
# endif
#undef X
#define X(name) \
{ \
Local<Value> val = NODE_UNIXTIME_V8(s->st_##name); \
if (val.IsEmpty()) return Local<Object>(); \
stats->Set(name##_symbol, val); \
}
X(atime)
X(mtime)
X(ctime)
#undef X
return scope.Close(stats);
}

7
test/fixtures/test-regress-GH-4015.js

@ -0,0 +1,7 @@
var fs = require('fs');
function load() {
fs.statSync('.');
load();
}
load();

33
test/simple/test-regress-GH-4015.js

@ -0,0 +1,33 @@
// Copyright Joyent, Inc. and other Node contributors.
//
// Permission is hereby granted, free of charge, to any person obtaining a
// copy of this software and associated documentation files (the
// "Software"), to deal in the Software without restriction, including
// without limitation the rights to use, copy, modify, merge, publish,
// distribute, sublicense, and/or sell copies of the Software, and to permit
// persons to whom the Software is furnished to do so, subject to the
// following conditions:
//
// The above copyright notice and this permission notice shall be included
// in all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
var common = require('../common');
var assert = require('assert');
var exec = require('child_process').exec;
var cmd = process.execPath
+ ' '
+ common.fixturesDir
+ '/test-regress-GH-4015.js';
exec(cmd, function(err, stdout, stderr) {
assert(/RangeError: Maximum call stack size exceeded/.test(stderr));
});
Loading…
Cancel
Save