First of all, I don't use this package so I won't participate further, just want to let you know.
While investigating a bit of the event-stream "issue", I found that the guy who stole bitcoin wallets for a few months had a "fork" (non github fork) of node-scrypt, made a change to unsafe code in this package.
scrypt_common.cc:
std::string scrypt_err_description = InternalErrorDescr(base_error);
...
return scrypt_err_description.c_str();
You're returning a pointer to freed memory. Or rather, to potentially freed memory. std::string has a lot of different and clever implementations of re-using memory, so having references to data which "look" freed is not just entirely broken, but a security issue. Could potentially be exploited to execute arbitrary code (e.g. if a string can overwrite what will eventually end up in a system call).
First of all, I don't use this package so I won't participate further, just want to let you know.
While investigating a bit of the
event-stream"issue", I found that the guy who stole bitcoin wallets for a few months had a "fork" (non github fork) of node-scrypt, made a change to unsafe code in this package.scrypt_common.cc:
std::string scrypt_err_description = InternalErrorDescr(base_error); ... return scrypt_err_description.c_str();You're returning a pointer to freed memory. Or rather, to potentially freed memory.
std::stringhas a lot of different and clever implementations of re-using memory, so having references to data which "look" freed is not just entirely broken, but a security issue. Could potentially be exploited to execute arbitrary code (e.g. if a string can overwrite what will eventually end up in a system call).