This library causes V8 to crash (Fatal JavaScript invalid size error 169220804) when reading this specific image

[ryanhugh]

Hey all,

This library causes all of Node V8 to crash when reading this specific image. I'm on Node v18.14.2. I'm on exif@0.6.0. I'm on an Mac M2, (Darwin Kernel Version 22.3.0: Mon Jan 30 20:39:46 PST 2023; root:xnu-8792.81.3~2/RELEASE_ARM64_T6020 arm64) but I've also seen this happen on my Amazon Linux servers. Here's the full exception:

V8 Crashes can't be caught with try-catch. Which means the entire node instance has to be re-started when this exception happens. Not great.

/usr/local/bin/node ./node_modules/.bin/ts-node /Users/ryan/.../exifDataAndSize.ts
Debugger attached.


#
# Fatal error in , line 0
# Fatal JavaScript invalid size error 169220804
#
#
#
#FailureMessage Object: 0x16faf61b8
 1: 0x10041bc2c node::NodePlatform::GetStackTracePrinter()::$_3::__invoke() [/usr/local/bin/node]
 2: 0x10134dd0c V8_Fatal(char const*, ...) [/usr/local/bin/node]
 3: 0x10068f1e8 v8::internal::FactoryBase<v8::internal::Factory>::NewFixedArrayWithFiller(v8::internal::Handle<v8::internal::Map>, int, v8::internal::Handle<v8::internal::Oddball>, v8::internal::AllocationType) [/usr/local/bin/node]
 4: 0x10081b4d0 v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastPackedObjectElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)2> >::GrowCapacity(v8::internal::Handle<v8::internal::JSObject>, unsigned int) [/usr/local/bin/node]
 5: 0x100a1b2f0 v8::internal::Runtime_GrowArrayElements(int, unsigned long*, v8::internal::Isolate*) [/usr/local/bin/node]
 6: 0x100d7104c Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit [/usr/local/bin/node]
 7: 0x105d25758
 8: 0x100cfc198 Builtins_InterpreterEntryTrampoline [/usr/local/bin/node]
 9: 0x100cfc198 Builtins_InterpreterEntryTrampoline [/usr/local/bin/node]
10: 0x100cfc198 Builtins_InterpreterEntryTrampoline [/usr/local/bin/node]
11: 0x100cfc198 Builtins_InterpreterEntryTrampoline [/usr/local/bin/node]
12: 0x100cfc198 Builtins_InterpreterEntryTrampoline [/usr/local/bin/node]
13: 0x100cfc198 Builtins_InterpreterEntryTrampoline [/usr/local/bin/node]
14: 0x105d0f2e0
15: 0x100cfa4d0 Builtins_JSEntryTrampoline [/usr/local/bin/node]
16: 0x100cfa164 Builtins_JSEntry [/usr/local/bin/node]
17: 0x10064013c v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) [/usr/local/bin/node]
18: 0x10063f670 v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) [/usr/local/bin/node]
19: 0x10052fa04 v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) [/usr/local/bin/node]
20: 0x10030cfc4 node::InternalMakeCallback(node::Environment*, v8::Local<v8::Object>, v8::Local<v8::Object>, v8::Local<v8::Function>, int, v8::Local<v8::Value>*, node::async_context) [/usr/local/bin/node]
21: 0x10030d2d4 node::MakeCallback(v8::Isolate*, v8::Local<v8::Object>, v8::Local<v8::Function>, int, v8::Local<v8::Value>*, node::async_context) [/usr/local/bin/node]
22: 0x10036737c node::Environment::CheckImmediate(uv_check_s*) [/usr/local/bin/node]
23: 0x100ce3974 uv__run_check [/usr/local/bin/node]
24: 0x100cdd63c uv_run [/usr/local/bin/node]
25: 0x10030d704 node::SpinEventLoop(node::Environment*) [/usr/local/bin/node]
26: 0x1003f914c node::NodeMainInstance::Run() [/usr/local/bin/node]
27: 0x10038a244 node::LoadSnapshotDataAndRun(node::SnapshotData const**, node::InitializationResult const*) [/usr/local/bin/node]
28: 0x10038a4c8 node::Start(int, char**) [/usr/local/bin/node]
29: 0x189c93e50 start [/usr/lib/dyld]

this_photo_causes_exif_lib_to_crash_v8.jpeg.zip