]> git.kaiwu.me - njs.git/commit
projects / njs.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a9dabca) | patch
QuickJS: fixed potential heap-use-after-free.
authorDmitry Volyntsev <xeioex@nginx.com>
Thu, 28 Aug 2025 22:20:31 +0000 (15:20 -0700)
committerDmitry Volyntsev <xeioexception@gmail.com>
Mon, 8 Sep 2025 22:59:30 +0000 (15:59 -0700)
commit4eeb4c527c8031b676c720c7ebb49ad356233a31
tree7e7119d678fba82e552e2b24bbfa68eee220153ctree | snapshot
parenta9dabca11201f5e56196c876a6b4791e858c0358commit | diff
QuickJS: fixed potential heap-use-after-free.

Previously in QuickJS engine, fields allocated from memory pool linked
to QuickJS engine lifetime were stored in nginx data structs.

This causes a heap-use-after-free if QuickJS engine is destroyed
earlier than a last access from nginx. For example, it becomes
visible when moving NJS cleanup handler from pool->cleanup to
r->cleanup.

The fix is to only store references in nginx objects allocated from
nginx memory pool.
nginx/ngx_http_js_module.c diff | blob | history
nginx/ngx_js.c diff | blob | history
nginx/ngx_js.h diff | blob | history
nginx/ngx_qjs_fetch.c diff | blob | history
nginx/ngx_stream_js_module.c diff | blob | history
njs upstream