src: fix potential segmentation fault in SQLite #53850

tniessen · 2024-07-14T21:54:10Z

The Local<Value> returned from ColumnToValue() and ColumnNameToValue() may be empty (if a JavaScript exception is pending), in which case a segmentation fault may occur at the call sites, which do not check if the Local<Value> is empty. Fix this bug by returning early if an exception is pending (as indicated by the Local being empty).

In the long term, these functions should return MaybeLocal instead of Local, but this patch is supposed to be a minimal bug fix only.

The Local<Value> returned from ColumnToValue() and ColumnNameToValue() may be empty (if a JavaScript exception is pending), in which case a segmentation fault may occur at the call sites, which do not check if the Local<Value> is empty. Fix this bug returning early if an exception is pending (as indicated by the Local being empty). In the long term, these functions should return MaybeLocal instead of Local, but this patch is supposed to be a minimal bug fix only.

nodejs-github-bot · 2024-07-14T22:04:55Z

CI: https://ci.nodejs.org/job/node-test-pull-request/60316/

anonrig

Is there an easy repro?

tniessen · 2024-07-14T23:26:37Z

@anonrig The test case in #53851 segfaults without this PR :)

jasnell · 2024-07-15T02:57:17Z

src/node_sqlite.cc

+      if (key.IsEmpty()) return;
      Local<Value> val = stmt->ColumnToValue(i);
+      if (val.IsEmpty()) return;


nit... is it worth combining these into a single if (key.IsEmpty() || val.IsEmpty()) return just to make things a bit more compact?

We usually fail fast when a JavaScript exception is pending to avoid unsafe calls into JavaScript in that state. It seems that ColumnToValue() does not call into JavaScript, but unless someone feels strongly, I'd err on the side of caution here.

nodejs-github-bot · 2024-07-16T22:00:50Z

Landed in 0b1ff69

The Local<Value> returned from ColumnToValue() and ColumnNameToValue() may be empty (if a JavaScript exception is pending), in which case a segmentation fault may occur at the call sites, which do not check if the Local<Value> is empty. Fix this bug returning early if an exception is pending (as indicated by the Local being empty). In the long term, these functions should return MaybeLocal instead of Local, but this patch is supposed to be a minimal bug fix only. PR-URL: nodejs#53850 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

The Local<Value> returned from ColumnToValue() and ColumnNameToValue() may be empty (if a JavaScript exception is pending), in which case a segmentation fault may occur at the call sites, which do not check if the Local<Value> is empty. Fix this bug returning early if an exception is pending (as indicated by the Local being empty). In the long term, these functions should return MaybeLocal instead of Local, but this patch is supposed to be a minimal bug fix only. PR-URL: #53850 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

tniessen added the sqlite Issues and PRs related to the SQLite subsystem. label Jul 14, 2024

tniessen requested a review from cjihrig July 14, 2024 21:54

nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. labels Jul 14, 2024

tniessen added the request-ci Add this label to start a Jenkins CI on a PR. label Jul 14, 2024

cjihrig approved these changes Jul 14, 2024

View reviewed changes

tniessen added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jul 14, 2024

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jul 14, 2024

anonrig approved these changes Jul 14, 2024

View reviewed changes

tniessen mentioned this pull request Jul 14, 2024

src,test: disallow unsafe integer coercion in SQLite #53851

Merged

jasnell reviewed Jul 15, 2024

View reviewed changes

tniessen added the commit-queue Add this label to land a pull request using GitHub Actions. label Jul 16, 2024

nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Jul 16, 2024

nodejs-github-bot merged commit 0b1ff69 into nodejs:main Jul 16, 2024
68 checks passed

tniessen added the experimental Issues and PRs related to experimental features. label Jul 17, 2024

RafaelGSS mentioned this pull request Jul 30, 2024

v22.6.0 proposal #54123

Merged

targos added the dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. label Sep 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

src: fix potential segmentation fault in SQLite #53850

src: fix potential segmentation fault in SQLite #53850

tniessen commented Jul 14, 2024

nodejs-github-bot commented Jul 14, 2024

anonrig left a comment

tniessen commented Jul 14, 2024

jasnell Jul 15, 2024

tniessen Jul 15, 2024

nodejs-github-bot commented Jul 16, 2024

src: fix potential segmentation fault in SQLite #53850

src: fix potential segmentation fault in SQLite #53850

Conversation

tniessen commented Jul 14, 2024

nodejs-github-bot commented Jul 14, 2024

anonrig left a comment

Choose a reason for hiding this comment

tniessen commented Jul 14, 2024

jasnell Jul 15, 2024

Choose a reason for hiding this comment

tniessen Jul 15, 2024

Choose a reason for hiding this comment

nodejs-github-bot commented Jul 16, 2024