Failing assertion: inconsistency in rightmost processing in turf-jsts when calling turf.buffer

[0xricksanchez]

Meta

• The version of Turf you are using, and any other relevant versions.
  • "@turf/turf": "^6.5.0"

Report

Hi turf team,

In an ongoing effort to secure the JS/TS ecosystem, we integrated turf into Google's OSS-Fuzz project recently with our JS/TS fuzzer Jazzer.js.

We're frequently running into a failed assertion that blocks progress and potential discovery of deeper rooted bugs. I have prepared a simple reproducer below that can cause turf.buffer() to crash.

Reproducer

Note: that the hard-coded values for radius, options, and point were originally randomly generated during the fuzzing campaign but are for simplicity hard-coded in the proof of concept!

const turf = require("@turf/turf");

const radius = {};
const options = { steps: 1, units: "" };
const point = turf.point([179.9066198987503, -89.99999999999936]);

turf.buffer(point, radius, options);

Note: We're currently testing the latest available release on npmjs as building locally seems rather difficult to pull off, and we ran into different issues there while also stumbling across:

• removing jsts dependency #88
• Best way to install current master modules while waiting for a release? #2229

Actual behavior

The PoC crashes with the following trace:

$ node fuzz_poc.js

/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/turf/fuzz/node_modules/turf-jsts/jsts.js:14721
        } else { throw ex }
                 ^
Error
    at AssertionFailedException.RuntimeException [as constructor] (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/turf/fuzz/node_modules/turf-jsts/
jsts.js:2168:19)
    at new AssertionFailedException (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/turf/fuzz/node_modules/turf-jsts/jsts.js:2185:27)
    at Function.isTrue (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/turf/fuzz/node_modules/turf-jsts/jsts.js:2231:15)
    at RightmostEdgeFinder.findEdge (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/turf/fuzz/node_modules/turf-jsts/jsts.js:8085:10)
    at BufferSubgraph.create (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/turf/fuzz/node_modules/turf-jsts/jsts.js:8191:16)
    at BufferBuilder.createSubgraphs (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/turf/fuzz/node_modules/turf-jsts/jsts.js:14054:16)
    at BufferBuilder.buffer (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/turf/fuzz/node_modules/turf-jsts/jsts.js:14086:27)
    at BufferOp.bufferFixedPrecision (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/turf/fuzz/node_modules/turf-jsts/jsts.js:14709:37)
    at BufferOp.bufferReducedPrecision (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/turf/fuzz/node_modules/turf-jsts/jsts.js:14730:10)
    at BufferOp.bufferReducedPrecision (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/turf/fuzz/node_modules/turf-jsts/jsts.js:14717:16) {
  message: 'inconsistency in rightmost processing'
}

Node.js v18.16.0

Expected behavior

I assume the assertion should not trigger and cause the NodeJS runtime to crash.

Impact

As turf is a widely popular library with 300k weekly downloads on npmjs and is used by roughly 16k projects as a dependency, this simple PoC can be considered a DoS scenario affecting any other project that uses turf.buffer() on (semi-)untrusted input.

PS: I'm happy to answer any questions regarding fuzzing or the crashing program :)!