Fix CVE-2024-21526 by adding arg checks in binding.open #186
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…asserts Re: GHSA-w5fc-gj3h-26rx From the link: > All versions of the package speaker are vulnerable to Denial of Service (DoS) when providing unexpected input types to the channels property of the Speaker object makes it possible to reach an assert macro. Exploiting this vulnerability can lead to a process crash. The changes should prevent the process crashed vuln noted in the CVE. - **Callback Info Check**: Replaced `assert(napi_get_cb_info...)` with a check for `napi_ok` and verified that `argc >= 4`. If this fails, an error is thrown and `NULL` is returned. - **Memory Allocation**: Added a null check for `malloc` of `Speaker`. If allocation fails, a memory error is thrown. - **Channels, Rate, Format**: Replaced `assert` calls with checks for `napi_get_value_int32`. Added input validation (e.g., `channels <= 0` or `rate <= 0` are considered invalid). On failure, the `speaker` is freed and an error is thrown. - **Device String Handling**: Retained the `is_string` check. Replaced `assert` for `napi_get_value_string_utf8` with proper error handling. Added memory allocation checks for `speaker->device`, and ensured both `speaker` and `device` are freed on failure. - **Handle Creation**: Combined checks for `napi_create_object` and `napi_wrap`. If either fails, resources are cleaned up and an error is thrown. - **Cleanup**: Ensured all error paths properly free allocated memory (`speaker->device` and `speaker`) to prevent memory leaks. - **Defensive Vibes**: Added thorough validation at every step. Invalid inputs or failures result in clear error messages to avoid crashes or undefined behavior. - **JavaScript checks**: Also added a JS check for <Speaker>.channels before calling `binding.open` as another layer. The fork this comes from also updates dependencies ([@dosyago-sec/node-speaker](https://github.com/dosyago-sec/node-speaker) - so it can be used in [BrowserBox - remote browser isolation and text client for the web](https://github.com/BrowserBox/BrowserBox)), but this is omitted here to avoid affecting existing tests and to minimize changes to the original repo for this PR.
Author
|
Hi @TooTallNate I like this library and submitted this fix as something I could do for you after making similar changes as part of adapting this library for use in my product. I am using This might not be what you want, and you may not have time to look at this PR anyway - no worries at all, just offering it's helpful for you or speaker users. Thank you, sir! :) PS - the source of the fork I use in BrowserBox is at: https://github.com/dosyago-sec/node-speaker and published on NPM as: @browserbox/speaker also under the same Thank you again and good luck with your current stuff!!! :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix CVE-2024-21526 by adding arg checks in binding.open and removing asserts
Re: GHSA-w5fc-gj3h-26rx
From the link:
The changes should prevent the process crashed vuln noted in the CVE.
Callback Info Check: Replaced
assert(napi_get_cb_info...)with a check fornapi_okand verified thatargc >= 4. If this fails, an error is thrown andNULLis returned.Memory Allocation: Added a null check for
mallocofSpeaker. If allocation fails, a memory error is thrown.Channels, Rate, Format: Replaced
assertcalls with checks fornapi_get_value_int32. Added input validation (e.g.,channels <= 0orrate <= 0are considered invalid). On failure, thespeakeris freed and an error is thrown.Device String Handling: Retained the
is_stringcheck. Replacedassertfornapi_get_value_string_utf8with proper error handling. Added memory allocation checks forspeaker->device, and ensured bothspeakeranddeviceare freed on failure.Handle Creation: Combined checks for
napi_create_objectandnapi_wrap. If either fails, resources are cleaned up and an error is thrown.Cleanup: Ensured all error paths properly free allocated memory (
speaker->deviceandspeaker) to prevent memory leaks.Defensive Vibes: Added thorough validation at every step. Invalid inputs or failures result in clear error messages to avoid crashes or undefined behavior.
JavaScript checks: Also added a JS check for .channels before calling
binding.openas another layer.The fork this comes from also updates dependencies (@dosyago-sec/node-speaker - so it can be used in BrowserBox - remote browser isolation and text client for the web), but this is omitted here to avoid affecting existing tests and to minimize changes to the original repo for this PR.