From 78ee4a3e820022f3ca7fb988f7182236dba2daa1 Mon Sep 17 00:00:00 2001
From: Dylan Conway <35280289+dylan-conway@users.noreply.github.com>
Date: Mon, 7 Apr 2025 20:20:22 -0700
Subject: [PATCH] fix(shell): possible UAF when throwing a shell error (#18840)

---
 src/shell/shell.zig | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/shell/shell.zig b/src/shell/shell.zig
index 39c9de5236..7f773b806f 100644
--- a/src/shell/shell.zig
+++ b/src/shell/shell.zig
@@ -72,7 +72,17 @@ pub const ShellErr = union(enum) {
     }
 
     pub fn throwJS(this: *const @This(), globalThis: *JSC.JSGlobalObject) bun.JSError {
-        defer this.deinit(bun.default_allocator);
+        defer {
+            // basically `transferToJS`. don't want to double deref the sys error
+            switch (this.*) {
+                .sys => {
+                    // sys.toErrorInstance handles decrementing the ref count
+                },
+                .custom, .invalid_arguments, .todo => {
+                    this.deinit(bun.default_allocator);
+                },
+            }
+        }
         switch (this.*) {
             .sys => {
                 const err = this.sys.toErrorInstance(globalThis);