mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-02 15:08:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(spawn): prevent use-after-free in subprocess stdin cleanup

Browse Source 
When onProcessExit runs after the JSSink destructor has already freed
the FileSink, the fromJS recovery path would read stale m_sinkPtr from
the dead JSSink, accessing freed/reallocated memory. This could close
file descriptors belonging to other subprocesses, corrupting their
pipe communication.

Guard the fromJS recovery with has_stdin_destructor_called to skip it
when we know the FileSink has already been freed.
This commit is contained in:
Dylan Conway
2026-01-28 14:52:00 -08:00
parent 7ebfdf97a8
commit e44246951d
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/bun.js/api/bun/subprocess.zig
View File

@@ -591,7 +591,7 @@ pub fn onProcessExit(this: *Subprocess, process: *Process, status: bun.spawn.Sta
if (this_jsvalue != .zero) {
if (jsc.Codegen.JSSubprocess.stdinGetCached(this_jsvalue)) |existing_value| {
if (existing_value.isCell()) {
if (stdin == null) {
if (stdin == null and !this.flags.has_stdin_destructor_called) {
// TODO: review this cast
stdin = @ptrCast(@alignCast(jsc.WebCore.FileSink.JSSink.fromJS(existing_value)));
}