[jira] [Created] (THRIFT-5769) Large messages crash Node.js client when using TFramedTransport

Mon, 18 Mar 2024 09:40:04 -0700 

Tuomo Jokimies created THRIFT-5769:
--------------------------------------

             Summary: Large messages crash Node.js client when using 
TFramedTransport
                 Key: THRIFT-5769
                 URL: https://issues.apache.org/jira/browse/THRIFT-5769
             Project: Thrift
          Issue Type: Bug
          Components: Node.js - Library
    Affects Versions: 0.19.0
         Environment: *Stack trace for Node.js v21.7.1*
(pinpoints the cause as it is using new version of V8)
{code:java}
<redacted>/thrift/lib/nodejs/lib/thrift/framed_transport.js:43
      residual.push(data[i])
               ^

RangeError: Invalid array length
    at Array.push (<anonymous>)
    at <redacted>/thrift/lib/nodejs/lib/thrift/framed_transport.js:43:16
    <redacted>{code}
 
*Stack trace for Node.js LTS v20.11.1*

{code:java}
#
# Fatal error in , line 0
# Fatal JavaScript invalid size error 169220804 (see crbug.com/1201626)
#
#
#
#FailureMessage Object: 0x16f48a0f8
----- Native stack trace -----

1: 0x100aad340 node::NodePlatform::GetStackTracePrinter()::$_3::__invoke() 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
2: 0x101b309ac V8_Fatal(char const*, <redacted>) 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
3: 0x100d71334 
v8::internal::FactoryBase<v8::internal::Factory>::NewFixedArrayWithFiller(v8::internal::Handle<v8::internal::Map>,
 int, v8::internal::Handle<v8::internal::Oddball>, 
v8::internal::AllocationType) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
4: 0x100f0cf68 v8::internal::(anonymous 
namespace)::ElementsAccessorBase<v8::internal::(anonymous 
namespace)::FastPackedSmiElementsAccessor, v8::internal::(anonymous 
namespace)::ElementsKindTraits<(v8::internal::ElementsKind)0>>::GrowCapacity(v8::internal::Handle<v8::internal::JSObject>,
 unsigned int) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
5: 0x101158600 v8::internal::Runtime_GrowArrayElements(int, unsigned long*, 
v8::internal::Isolate*) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
6: 0x1014c4c44 Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
7: 0x1064cfe9c
8: 0x1064aac88
9: 0x10143c3e4 Builtins_InterpreterEntryTrampoline 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
10: 0x1064aac88
11: 0x10143c3e4 Builtins_InterpreterEntryTrampoline 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
12: 0x10143c3e4 Builtins_InterpreterEntryTrampoline 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
13: 0x10143a50c Builtins_JSEntryTrampoline 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
14: 0x10143a1f4 Builtins_JSEntry 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
15: 0x100d104f8 v8::internal::(anonymous 
namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous 
namespace)::InvokeParams const&) 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
16: 0x100d0f944 v8::internal::Execution::Call(v8::internal::Isolate*, 
v8::internal::Handle<v8::internal::Object>, 
v8::internal::Handle<v8::internal::Object>, int, 
v8::internal::Handle<v8::internal::Object>*) 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
17: 0x100bea214 v8::Function::Call(v8::Local<v8::Context>, 
v8::Local<v8::Value>, int, v8::Local<v8::Value>*) 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
18: 0x100978fd8 node::InternalMakeCallback(node::Environment*, 
v8::Local<v8::Object>, v8::Local<v8::Object>, v8::Local<v8::Function>, int, 
v8::Local<v8::Value>*, node::async_context) 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
19: 0x100979304 node::MakeCallback(v8::Isolate*, v8::Local<v8::Object>, 
v8::Local<v8::Function>, int, v8::Local<v8::Value>*, node::async_context) 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
20: 0x1009ee554 node::Environment::CheckImmediate(uv_check_s*) 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
21: 0x1014209e0 uv__run_check [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
22: 0x10141a700 uv_run [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
23: 0x100979754 node::SpinEventLoopInternal(node::Environment*) 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
24: 0x100a89c6c node::NodeMainInstance::Run(node::ExitCode*, 
node::Environment*) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
25: 0x100a89a08 node::NodeMainInstance::Run() 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
26: 0x100a13718 node::Start(int, char**) 
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
27: 0x1a61dff28 start [/usr/lib/dyld]{code}
            Reporter: Tuomo Jokimies


Large messages cause Thrift client to crash when using TFramedTransport.

Crash is caused by array overflow of residual variable in receiver function.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to