Out of bounds memory access

[devongovett]

cjs-module-lexer has a stack depth of 2048:

cjs-module-lexer/src/lexer.c

Line 8 in dd9d9f9

#define STACK_DEPTH 2048

this creates two stacks:

cjs-module-lexer/src/lexer.c

Lines 36 to 37 in dd9d9f9

	uint16_t templateStack_[STACK_DEPTH];
	uint16_t* openTokenPosStack_[STACK_DEPTH];

However, when pushing to these stacks, there is no bounds check performed. For example:

cjs-module-lexer/src/lexer.c

Line 164 in dd9d9f9

openTokenPosStack[openTokenDepth++] = lastTokenPos;

If you run with a maliciously crafted input, you can overflow the stack and cause memory corruption.

import { parse, init } from 'cjs-module-lexer';

await init();
console.log(parse('exports.foo = 2;\n' + '{'.repeat(3069) + '}'.repeat(3069)));

Running this causes a Bus error: 10 crash.

This can also cause a crash of node itself by writing the above contents to a file and importing it via ESM.

[guybedford]

Thanks for digging into this. The expectation for protection during development was always that it would only crash the Wasm process and therefore we'd wrap that in a JS error and simply catch it. Wasm errors causing process errors is not something I expected though, in which case we need to introduce these protections carefully.

We can PR the stack checks in the right places and backport across all active release lines as it's a patch. Would be nice to ensure we catch everything at once if possible, but we can also do it gradually. I'll try and put a Sunday afternoon into this soon when I can. PRs very welcome too.