mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-11 19:38:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix env loader buffer overflow by using stack fallback allocator (#21416)

Browse Source 
## Summary
- Fixed buffer overflow in env_loader when parsing large environment
variables with escape sequences
- Replaced fixed 4096-byte buffer with a stack fallback allocator that
automatically switches to heap allocation for larger values
- Added comprehensive tests to prevent regression

## Background
The env_loader previously used a fixed threadlocal buffer that could
overflow when parsing environment variables containing escape sequences.
This caused crashes when the parsed value exceeded 4KB.

## Changes
- Replaced fixed buffer with `StackFallbackAllocator` that uses 4KB
stack buffer for common cases and falls back to heap for larger values
- Updated all env parsing functions to accept a reusable buffer
parameter
- Added proper memory cleanup with defer statements

## Test plan
- [x] Added test cases for large environment variables with escape
sequences
- [x] Added test for values larger than 4KB  
- [x] Added edge case tests (empty quotes, escape at EOF)
- [x] All existing env tests continue to pass

fixes #11627
fixes BAPI-1274

🤖 Generated with [Claude Code](https://claude.ai/code)

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
This commit is contained in:
Dylan Conway
2025-07-28 00:13:17 -07:00
committed by GitHub
parent 7a47c945aa
commit 9a2dfee3ca
9 changed files with 139 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/cli/create_command.zig
View File

@@ -213,7 +213,7 @@ pub const CreateCommand = struct {
break :brk DotEnv.Loader.init(map, ctx.allocator);
};
env_loader.loadProcess();
try env_loader.loadProcess();
const dirname: string = brk: {
if (positionals.len == 1) {
@@ -1683,7 +1683,7 @@ pub const CreateCommand = struct {
break :brk DotEnv.Loader.init(map, ctx.allocator);
};
env_loader.loadProcess();
try env_loader.loadProcess();
// var unsupported_packages = UnsupportedPackages{};
const template = brk: {
@@ -2282,7 +2282,7 @@ pub const CreateListExamplesCommand = struct {
break :brk DotEnv.Loader.init(map, ctx.allocator);
};
env_loader.loadProcess();
try env_loader.loadProcess();
var progress = Progress{};
progress.supports_ansi_escape_codes = Output.enable_ansi_colors_stderr;