Assertion Failed: duk__src != NULL in duk_bi_cbor.c

[WilliamParks]

Found using Fuzzilli. Please let me know if there is a different way that these should be reported, or any additional information that should be included.

Compilation Target: dukd on 468c7b4 on v2-maintenance

System: Ubuntu 18.04.4 LTS

Analysis:
V4 is an empty object, due to the invalid decode. It is still different than when a new object is made directly, which does not trigger this bug.

Code:

function main() {
    var v0 = []; 
    var v4 = Duktape.dec("base64",v0);
    var v5 = CBOR.encode(v4);
}
main();

[svaarala]

Currently the result from the Duktape.dec() call is a plain buffer which mimics an Uint8Array:

duk> x = Duktape.dec('base64', '')
= ||
duk> Object.prototype.toString.call(x)
= "[object Uint8Array]"

(Duktape.dec() should probably reject non-string inputs though, which is a separate issue.)

An empty plain buffer encodes correctly without valgrind issues:

duk> CBOR.encode(x)
= |40|

With assertions enabled this fails. The assert involved is checking that a memcpy() should not happen with a NULL pointer argument even when the size is zero as this is undefined behavior in C99. The fix is to use duk_memcpy_safe() in the relevant places because it checks for zero explicitly.

[svaarala]

The reason Duktape.dec() successfully decodes [] is that if the argument is not a buffer, it is string coerced and then decoded. An empty array [] string coerces to an empty string, which decodes to an empty buffer. Not sure it's the best behavior but there's no bug involved in why that succeeds.

[svaarala]

Ok, fix seems to work. Thanks @WilliamParks !