mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-02 15:08:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix hash map use-after-free in macro (#26451)

Browse Source 
### What does this PR do?
Fixes use after free of a pointer taken from a hash map inside of
`.Promise` branch
Fixes https://github.com/oven-sh/bun/issues/24505

### How did you verify your code works?
Tested on [my minimal
repro](https://github.com/oven-sh/bun/issues/24505#issuecomment-3797984659),
and also on the repro in [this
issue](https://github.com/oven-sh/bun/issues/24505#issue-3603294746)
Didn't include test cases in code because the repro is still flaky and
involves heavy libs to reproduce
This commit is contained in:
Kirill Markelov
2026-01-26 12:19:58 +04:00
committed by GitHub
parent 2c0721eabe
commit 799907362f
1 changed files with 5 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/ast/Macro.zig
View File

@@ -320,9 +320,8 @@ pub const Runner = struct {
.Null => return Expr.init(E.Null, E.Null{}, this.caller.loc), .Null => return Expr.init(E.Null, E.Null{}, this.caller.loc),
.Private => { .Private => {
this.is_top_level = false; this.is_top_level = false;
const _entry = this.visited.getOrPut(this.allocator, value) catch unreachable; if (this.visited.get(value)) |cached| {
if (_entry.found_existing) { return cached;
return _entry.value_ptr.*;
} }
var blob_: ?*const jsc.WebCore.Blob = null; var blob_: ?*const jsc.WebCore.Blob = null;
@@ -470,9 +469,8 @@ pub const Runner = struct {
return Expr.init(E.String, E.String.init(out_slice), this.caller.loc); return Expr.init(E.String, E.String.init(out_slice), this.caller.loc);
}, },
.Promise => { .Promise => {
const _entry = this.visited.getOrPut(this.allocator, value) catch unreachable; if (this.visited.get(value)) |cached| {
if (_entry.found_existing) { return cached;
return _entry.value_ptr.*;
} }
const promise = value.asAnyPromise() orelse @panic("Unexpected promise type"); const promise = value.asAnyPromise() orelse @panic("Unexpected promise type");
@@ -494,7 +492,7 @@ pub const Runner = struct {
this.is_top_level = false; this.is_top_level = false;
const result = try this.run(promise_result); const result = try this.run(promise_result);
_entry.value_ptr.* = result; this.visited.put(this.allocator, value, result) catch unreachable;
return result; return result;
}, },
else => {}, else => {},