OOB read in libuv

**Summary:** The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo(). nodejs seems to use libuv and is possibly affected by this as well. **Description:** An out-of-bound read can occur when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo(). nodejs seems to use libuv and is possibly affected by this as well. ## Steps To Reproduce: i attached a testcase and the ad-hoc fuzzer I used to identify the issues. If you need further help reproducing, please let me know. ~~~ static unsigned uv__utf8_decode1_slow(const char** p, const char* pe, unsigned a) { unsigned b; unsigned c; unsigned d; unsigned min; if (a > 0xF7) return -1; switch (*p - pe) { default: if (a > 0xEF) { if (p + 3 > pe) return -1; min = 0x10000; a = a & 7; b = (unsigned char) *(*p)++; // OOB READ c = (unsigned char) *(*p)++; // OOB READ d = (unsigned char) *(*p)++; // OOB READ break; } /* Fall through. */ ~~~ ## Impact: [add why this issue matters] Possiblity to crash the process when untrusted hostnames are passed to uv__getaddrinfo() ## Supporting Material/References: - ## Misc This issue was found during an audit of Cure53 for ExpressVPN but ExpressVPN is not affected by the issue. I reported it to the libuv project, whose maintainers suggested that i report it to nodejs directly as well. ## Impact An oob read that does not seem to be abused to leak data, but possibly read to a guarded page which segfaults the process.