bun.sh

mirror of https://github.com/oven-sh/bun synced 2026-02-25 11:07:19 +01:00

Files

robobun 9f5970938f fix(spawn): prevent integer overflow in getArgv with large array length (#27316 )

## Crash
Integer overflow panic in `getArgv` when `Bun.spawn`/`Bun.spawnSync`
receives an array with `.length` near u32 max (e.g. 4294967295).

## Reproduction
```js
const arr = ["echo", "hello"];
Object.defineProperty(arr, "length", { value: 4294967295 });
Bun.spawnSync(arr);
```

## Root Cause
`JSArrayIterator.len` is a `u32` derived from the JS array's `.length`
property. In `getArgv`, the expression `cmds_array.len + 2` (for argv0 +
null terminator) overflows `u32` arithmetic when `len` is close to `u32`
max. This causes a panic in debug builds and a segfault in release
builds. Additionally, the validation checks (`isEmptyOrUndefinedOrNull`
and `len == 0`) were placed after the overflowing `initCapacity` call,
so they couldn't prevent the crash.

## Fix
- Move validation checks before the `initCapacity` call
- Add a length check rejecting arrays with length > `u32 max - 2`
- Widen `cmds_array.len` to `usize` before adding 2 to prevent overflow
- Use `try argv.append()` instead of `appendAssumeCapacity` for safety

## Verification
- Reproduction no longer crashes (throws clean "cmd array is too large"
error)
- Normal `Bun.spawn`/`Bun.spawnSync` usage unaffected
- Added regression test at
`test/js/bun/spawn/spawn-large-array-length.test.ts`

Co-authored-by: Claude <noreply@anthropic.com>

2026-02-20 20:24:22 -08:00

bun

fix(spawn): prevent integer overflow in getArgv with large array length (#27316 )

2026-02-20 20:24:22 -08:00

deno

…

first_party

feat(websocket): add HTTP/HTTPS proxy support (#25614 )

2026-01-08 16:21:34 -08:00

junit-reporter

feat(test): add --retry flag and emit separate testcase entries for retries in JUnit XML (#26866 )

2026-02-10 10:58:21 -08:00