njs: Long parentheses string segfault.

printf "%0.s(" {1..6546} | ./build/njs -
Segmentation fault

repeated {, [ and ` are also affected.

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 18 (17 by maintainers)

Commits related to this issue

Limiting recursion depth while compiling. This closes #146 issue on Github. — committed to nginx/njs by xeioex 5 years ago
Limiting recursion depth while compiling unary expressions. This extends 8057f3ad56c1 and is related to #146 issue on Github. — committed to nginx/njs by xeioex 5 years ago

Most upvoted comments

@hongzhidao @drsm

Take a look: https://gist.github.com/7df5712ed64a7186cf43d80c7fdf95fb It should protect from any deep recursion in parser or generator. (printf "%0.s1;" {1..40000} | ./build/njs - is a separate issue)

The second issue with the original patch was: count++ and count-- was not paired for all code branches, so count can became inconsistent (it tended to always to grow).

xeioex on Aug 23, 2019

@hongzhidao

printf "%0.s\`" {1..90000} | ./build/njs - should be limited in generator not parser. On it.

./build/njs  -d
interactive njs 0.3.6

v.<Tab> -> the properties and prototype methods of v.
type console.help() for more information

>> ```` // is a valid js expression == ""()
shell:main
00000 ARRAY             245A1A0 1
00032 PROP INIT         245A1C0 245A1A0 245A1B0
00064 TEMPLATE LITERAL  245A1A0
00080 FUNCTION FRAME    245A1A0 1
00112 ARRAY             0002 1
00144 PROP INIT         245A1C0 0002 245A1B0
00176 FUNCTION CALL     245A1D0
00192 STOP              245A1D0

TypeError: string is not a function
    at main (native)

>>

the same:

printf 'a'`printf "%0.s()" {1..100000}` | ./build/njs -

xeioex on Aug 23, 2019

@xeioex Think about refactoring out two macros.

+    if (njs_slow_path(parser->count > 512)) {
+        njs_range_error(vm, "Maximum call stack size exceeded");
+        return NJS_TOKEN_ERROR;
+    }
+
+    parser->count++;

+
+    parser->count--;

hongzhidao on Aug 23, 2019

@hongzhidao

But I can’t reproduce the token `.

 printf "%0.s\`" {1..90000} | ./build/njs -
Segmentation fault

(, {, [, {[, {; are fine. Thanks!

Also found:

$ printf "%0.s1;" {1..40000} | ./build/njs -
Segmentation fault

drsm on Aug 23, 2019

@drsm @hongzhidao

RangeError: Maximum call stack size exceeded.

I like this variant, because it what we already have for function recursion and this is what V8 does.

xeioex on Aug 23, 2019

Updated.

deleted.

@xeioex It seems it’s better to commit this patch with new Function patch.

hongzhidao on Aug 23, 2019

@hongzhidao

I reproduced with a larger constant:

$ printf "%0.s(" {1..6546} | ./build/njs -
SyntaxError: Unexpected end of input in -:1
$ printf "%0.s(" {1..10000} | ./build/njs -
Segmentation fault
$ uname -a
Linux L7480 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ free -h
              total        used        free      shared  buff/cache   available
Mem:            15G        1.3G         10G        341M        3.3G         13G
Swap:          1.9G          0B        1.9G
$ printf "%0.s{" {1..40000} | ./build/njs -
SyntaxError: Unexpected end of input in -:1
$ printf "%0.s{" {1..45000} | ./build/njs -
Segmentation fault

drsm on Aug 23, 2019

BTW, except for (, {, [, files with long strings of ` can also cause the segfault.

hongxuchen on May 10, 2019