mirror of https://github.com/oven-sh/bun synced 2026-02-09 10:28:47 +00:00

Files

robobun d273f7fdde fix: zstd decompression with async-compressed data (#23314 ) (#23317 )

### What does this PR do?

Fixes #23314 where `zlib.zstdCompress()` created data that caused an
out-of-memory error when decompressed with `Bun.zstdDecompressSync()`.

#### 1. `zlib.zstdCompress()` now sets `pledgedSrcSize`

The async convenience method now automatically sets the `pledgedSrcSize`
option to the input buffer size. This ensures the compressed frame
includes the content size in the header, making sync and async
compression produce identical output.

**Node.js compatibility**: `pledgedSrcSize` is a documented Node.js
option:
-
[`vendor/node/doc/api/zlib.md:754-758`](https://github.com/oven-sh/bun/blob/main/vendor/node/doc/api/zlib.md#L754-L758)
-
[`vendor/node/lib/zlib.js:893`](https://github.com/oven-sh/bun/blob/main/vendor/node/lib/zlib.js#L893)
-
[`vendor/node/src/node_zlib.cc:890-904`](https://github.com/oven-sh/bun/blob/main/vendor/node/src/node_zlib.cc#L890-L904)

#### 2. Added `bun.zstd.decompressAlloc()` - centralized safe
decompression

Created a new function in `src/deps/zstd.zig` that handles decompression
in one place with automatic safety features:

- **Handles unknown content sizes**: Automatically switches to streaming
decompression when the zstd frame doesn't include content size (e.g.,
from streams without `pledgedSrcSize`)
- **16MB safety limit**: For security, if the reported decompressed size
exceeds 16MB, streaming decompression is used instead of blindly
trusting the header
- **Fast path for small files**: Still uses efficient pre-allocation for
files < 16MB with known sizes

This centralized fix automatically protects:
- `Bun.zstdDecompressSync()` / `Bun.zstdDecompress()`
- `StandaloneModuleGraph` source map decompression
- Any other code using `bun.zstd` decompression

### How did you verify your code works?

**Before:**
```typescript
const input = "hello world";

// Async compression
const compressed = await new Promise((resolve, reject) => {
  zlib.zstdCompress(input, (err, result) => {
    if (err) reject(err);
    else resolve(result);
  });
});

// This would fail with "Out of memory"
const decompressed = Bun.zstdDecompressSync(compressed);
```
**Error**: `RangeError: Out of memory` (tried to allocate UINT64_MAX
bytes)

**After:**
```typescript
const input = "hello world";

// Async compression (now includes content size)
const compressed = await new Promise((resolve, reject) => {
  zlib.zstdCompress(input, (err, result) => {
    if (err) reject(err);
    else resolve(result);
  });
});

// ✅ Works! Falls back to streaming decompression if needed
const decompressed = Bun.zstdDecompressSync(compressed);
console.log(decompressed.toString()); // "hello world"
```

**Tests:**
- ✅ All existing tests pass
- ✅ New regression tests for async/sync compression compatibility
(`test/regression/issue/23314/zstd-async-compress.test.ts`)
- ✅ Test for large (>16MB) decompression using streaming
(`test/regression/issue/23314/zstd-large-decompression.test.ts`)
- ✅ Test for various input sizes and types
(`test/regression/issue/23314/zstd-large-input.test.ts`)

**Security:**
The 16MB safety limit protects against malicious zstd frames that claim
huge decompressed sizes in the header, preventing potential OOM attacks.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Co-authored-by: Claude Bot <claude-bot@bun.sh>
Co-authored-by: Claude <noreply@anthropic.com>

2025-10-06 19:56:40 -07:00

_util

Redis PUB/SUB 2.0 (#22568 )

2025-09-26 03:06:18 -07:00

bake

ssg 3 (#22138 )

2025-09-30 05:26:32 -07:00

bundler

Allow --splitting and --compile together (#23017 )

2025-10-04 06:52:20 -07:00

cli

Add bunfig.toml support for test randomize, seed, and rerunEach options (#23286 )

2025-10-06 19:48:16 -07:00

config/bunfig

Add --import as alias to --preload for nodejs compat (#20523 )

2025-06-20 19:58:54 -07:00

docker

Start using test.concurrent in our tests (#22823 )

2025-09-22 05:30:34 -07:00

exports

js: no longer provide our own 'detect-libc' (#18138 )

2025-03-13 12:40:37 -07:00

fixtures/glob

better test for #17516 (#17530 )

2025-02-22 00:24:21 -08:00

integration

[1.3] Bun.serve({ websocket }) types (#20918 )

2025-10-06 16:07:36 -07:00

internal

Fix bunfig.toml parsing with UTF-8 BOM (#23276 )

2025-10-05 17:22:37 -07:00

fix(node:path): reverse iterate path.resolve arguments, and stop on absolute (#23293 )

2025-10-06 19:47:05 -07:00

napi

Start using test.concurrent in our tests (#22823 )

2025-09-22 05:30:34 -07:00

regression

fix: zstd decompression with async-compressed data (#23314 ) (#23317 )

2025-10-06 19:56:40 -07:00

runners

ci: misc fixes and test runner changes (#15024 )

2024-11-06 18:15:55 -07:00

scripts

meta: update bun.locks with bun 1.2 (#16867 )

2025-01-29 01:47:43 -08:00

snapshots

📷

2022-12-12 00:40:00 -08:00

snippets

fix: parse JSX namespace identifiers that have numbers in them (#19912 )

2025-05-27 15:45:11 -07:00

Use ReadableStream.prototype.* in tests instead of new Response(...).* (#20937 )

2025-07-14 00:47:53 -07:00

.prettierignore

run prettier and add back format action (#13722 )

2024-09-03 21:32:52 -07:00

AGENTS.md

Make AGENTS.md a symlink to CLAUDE.md

2025-06-27 21:13:21 -07:00

bun.lock

fix: Fix incompatibility with latest @types/node (#23307 )

2025-10-06 15:29:25 -07:00

bunfig.toml

fix(install): isolated install aliased dependency name fix (#21138 )

2025-07-19 01:59:52 -07:00

CLAUDE.md

update CLAUDE.md

2025-09-03 03:39:31 -07:00

expectations.txt

lsan: fix reporting on linux ci (#22806 )

2025-09-24 00:47:52 -07:00

harness.ts

fix(test): lcov reporter now counts only executable lines (#23320 )

2025-10-06 19:47:24 -07:00

http-test-server.ts

feat: new binding generator (#15638 )

2024-12-10 12:43:17 -08:00

leaksan.supp

ssg 3 (#22138 )

2025-09-30 05:26:32 -07:00

mkfifo.ts

musl patches [v4] (#15066 )

2024-11-11 19:23:58 -08:00

no-validate-exceptions.txt

fix(node:path): reverse iterate path.resolve arguments, and stop on absolute (#23293 )

2025-10-06 19:47:05 -07:00

no-validate-leaksan.txt

bun install: support for minimumReleaseAge (#22801 )

2025-10-06 02:58:04 -07:00

package-json-lint.test.ts

feat: support Svelte in bundler and dev server (#17735 )

2025-03-04 14:16:18 -08:00

package.json

ssg 3 (#22138 )

2025-09-30 05:26:32 -07:00

preload.ts

fix: pass homedir test (#15811 )

2024-12-20 00:36:59 -08:00

README.md

Substitute js/ for test/js/ (404) (#8808 )

2024-02-10 10:44:22 -08:00

tsconfig.json

bun install Security Scanner API (#21183 )

2025-08-21 14:53:50 -07:00

unix-domain-socket-proxy.ts

Migrate all Docker usage to unified docker-compose infrastructure (#22740 )

2025-09-19 04:20:58 -07:00

vendor.json

Rewrite test/describe, add test.concurrent (#22534 )

2025-09-20 00:35:42 -07:00

README.md

Tests

Finding tests

Tests are located in the test/ directory and are organized using the following structure:

test/
- js/ - tests for JavaScript APIs.
- cli/ - tests for commands, configs, and stdout.
- bundler/ - tests for the transpiler/bundler.
- regression/ - tests that reproduce a specific issue.
- harness.ts - utility functions that can be imported from any test.

The tests in test/js/ directory are further categorized by the type of API.

test/js/
- bun/ - tests for Bun-specific APIs.
- node/ - tests for Node.js APIs.
- web/ - tests for Web APIs, like fetch().
- first_party/ - tests for npm packages that are built-in, like undici.
- third_party/ - tests for npm packages that are not built-in, but are popular, like esbuild.

Running tests

To run a test, use Bun's built-in test command: bun test.

bun test # Run all tests
bun test js/bun # Only run tests in a directory
bun test sqlite.test.ts # Only run a specific test

If you encounter lots of errors, try running bun install, then trying again.

Writing tests

Tests are written in TypeScript (preferred) or JavaScript using Jest's describe(), test(), and expect() APIs.

import { describe, test, expect } from "bun:test";
import { gcTick } from "harness";

describe("TextEncoder", () => {
  test("can encode a string", async () => {
    const encoder = new TextEncoder();
    const actual = encoder.encode("bun");
    await gcTick();
    expect(actual).toBe(new Uint8Array([0x62, 0x75, 0x6E]));
  });
});

If you are fixing a bug that was reported from a GitHub issue, remember to add a test in the test/regression/ directory.

// test/regression/issue/02005.test.ts

import { it, expect } from "bun:test";

it("regex literal should work with non-latin1", () => {
  const text = "这是一段要替换的文字";
  expect(text.replace(new RegExp("要替换"), "")).toBe("这是一段的文字");
  expect(text.replace(/要替换/, "")).toBe("这是一段的文字");
});

In the future, a bot will automatically close or re-open issues when a regression is detected or resolved.

Zig tests

These tests live in various .zig files throughout Bun's codebase, leveraging Zig's builtin test keyword.

Currently, they're not run automatically nor is there a simple way to run all of them. We will make this better soon.

TypeScript

Test files should be written in TypeScript. The types in packages/bun-types should be updated to support all new APIs. Changes to the .d.ts files in packages/bun-types will be immediately reflected in test files; no build step is necessary.

Writing a test will often require using invalid syntax, e.g. when checking for errors when an invalid input is passed to a function. TypeScript provides a number of escape hatches here.

// @ts-expect-error - This should be your first choice. It tells TypeScript that the next line should fail typechecking.
// @ts-ignore - Ignore the next line entirely.
// @ts-nocheck - Put this at the top of the file to disable typechecking on the entire file. Useful for autogenerated test files, or when ignoring/disabling type checks an a per-line basis is too onerous.