[Pkg-javascript-devel] Bug#1062724: node-cbor: cbor2comment throws exception on decoding null
brian m. carlson
sandals at crustytoothpaste.net
Fri Feb 2 22:39:14 GMT 2024
Package: node-cbor
Version: 8.1.0+dfsg+~cs5.2.1-3
Severity: normal
File: /usr/bin/cbor2comment
cbor2comment can throw an exception when a null is deserialized:
$ cat >data <<-EOF
AKViaWQAaHNlbGVjdG9yoWRwYXRoTi9tZW1vcnkvdmF1bHQvZ3JlY3Vyc2WhZ2Jvb2xlYW71ZGtp
bmRqY3JlZGVudGlhbGRib2R5rGh1c2VybmFtZaFnbGl0ZXJhbENmb29mc2VjcmV0oWNhbnn2aGF1
dGh0eXBloWNhbnn2ZGtpbmShZ2xpdGVyYWxjYXBpaHByb3RvY29soWdsaXRlcmFsZWh0dHBzZGhv
c3ShZ2xpdGVyYWxvZ2l0LmV4YW1wbGUuY29tZXRpdGxloWdsaXRlcmFseB1HaXQ6IGh0dHBzOi8v
Z2l0LmV4YW1wbGUuY29tL2tkZXNjcmlwdGlvbqFjYW559mRwYXRooWNhbnn2Z3NlcnZpY2WhZ2xp
dGVyYWxjZ2l0ZWV4dHJhoGJpZKFnbGl0ZXJhbFiAODhkMmQ3Njc4YzEyNzdmODFiMzhmZWJkOWQ5
M2Y0ZDc0ZGY4OGYyNzIwOTYwMzA4YTFjY2VjZmI1N2QzNjVmNTNiMTAyMjc2YmQ1YjQ0MjcwMjkz
ZDQzNDU4M2RkMmVmNmMxZGViODdmYzI5NTA4YTc2YjI3YjA3OTgyNmI3MDYK
EOF
$ base64 -d data | cbor2comment
[Some data...]
f6 -- {Val:0}, TypeError: Cannot read properties of null (reading 'Symbol(nodejs.util.inspect.custom)')
at Object.cborValueToString (/usr/share/nodejs/cbor/lib/utils.js:246:21)
at Commented._on_value (/usr/share/nodejs/cbor/lib/commented.js:336:23)
at Decoder.emit (node:events:517:28)
at Decoder._parse (/usr/share/nodejs/cbor/lib/decoder.js:555:12)
at _parse.next (<anonymous>)
at Decoder._transform (/usr/share/nodejs/cbor/vendor/binary-parse-stream/index.js:53:29)
at Transform._write (node:internal/streams/transform:175:8)
at writeOrBuffer (node:internal/streams/writable:392:12)
at _write (node:internal/streams/writable:333:10)
at Writable.write (node:internal/streams/writable:337:10)
I expected cbor2comment to print the data, including the null, without
throwing an exception or truncating the dump.
I should note that cbor2json works, but because my data structure uses
byte strings heavily, the dump is effectively unreadable. I have not
found other non-null data that triggers an error.
In case it is useful to know, the data structure was serialized using
the Rust library serde_cbor. It's test data and is not sensitive, so
feel free to share it, add it to the testsuite, etc.
I believe this may be fixed with PR #188 upstream (in v9.0.2), but I'm
unsure. In any event, I expect it's easy to verify one way or the other
with the steps above.
-- System Information:
Debian Release: trixie/sid
APT prefers oldstable-security
APT policy: (500, 'oldstable-security'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.6.9-amd64 (SMP w/20 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER, TAINT_WARN
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages node-cbor depends on:
ii node-bignumber 9.1.1-1
ii node-commander 9.4.1-1
ii nodejs 18.19.0+dfsg-6
node-cbor recommends no packages.
node-cbor suggests no packages.
-- no debconf information
--
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20240202/f1ca7687/attachment.sig>
More information about the Pkg-javascript-devel
mailing list