Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit e992a34

Browse filesBrowse files
mcollinaaduh95
mcollina
authored and
aduh95
committed
zlib: fix use-after-free when reset() is called during write
The Reset() method did not check the write_in_progress_ flag before resetting the compression stream. This allowed reset() to free the compression library's internal state while a worker thread was still using it during an async write, causing a use-after-free. Add a write_in_progress_ guard to Reset() that throws an error if a write is in progress, matching the existing pattern used by Close() and Write(). PR-URL: TODO Refs: https://hackerone.com/reports/3609132 PR-URL: #62325 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
1 parent 1cdd23c commit e992a34
Copy full SHA for e992a34

2 files changed

+29Lines changed: 29 additions & 0 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎src/node_zlib.cc‎

Copy file name to clipboardExpand all lines: src/node_zlib.cc
+6Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -644,6 +644,12 @@ class CompressionStream : public AsyncWrap,
644644
CompressionStream* wrap;
645645
ASSIGN_OR_RETURN_UNWRAP(&wrap, args.This());
646646

647+
if (wrap->write_in_progress_) {
648+
wrap->env()->ThrowError(
649+
"Cannot reset zlib stream while a write is in progress");
650+
return;
651+
}
652+
647653
AllocScope alloc_scope(wrap);
648654
const CompressionError err = wrap->context()->ResetStream();
649655
if (err.IsError())
Collapse file

‎test/parallel/test-zlib-reset-during-write.js‎

Copy file name to clipboard
+23Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
'use strict';
2+
const common = require('../common');
3+
const assert = require('assert');
4+
const { createBrotliCompress, createDeflate } = require('zlib');
5+
6+
// Tests that calling .reset() while an async write is in progress
7+
// throws an error instead of causing a use-after-free.
8+
9+
for (const factory of [createBrotliCompress, createDeflate]) {
10+
const stream = factory();
11+
const input = Buffer.alloc(1024, 0x41);
12+
13+
stream.write(input, common.mustCall());
14+
stream.on('error', common.mustNotCall());
15+
16+
// The write has been dispatched to the thread pool.
17+
// Calling reset while write is in progress must throw.
18+
assert.throws(() => {
19+
stream._handle.reset();
20+
}, {
21+
message: 'Cannot reset zlib stream while a write is in progress',
22+
});
23+
}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.