n-api: fix use-after-free with napi_remove_async_cleanup_hook

Fixes: #34657 Refs: #34572 PR-URL: #34662 Reviewed-By: Gabriel Schulhof <[email protected]> Reviewed-By: James M Snell <[email protected]>
nodejs · Aug 11, 2020 · 4ed89a3 · 4ed89a3
1 parent db6f9bd
commit 4ed89a3
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/node_api.cc b/src/node_api.cc
@@ -533,6 +533,7 @@ napi_status napi_add_async_cleanup_hook(
   auto handle = node::AddEnvironmentCleanupHook(env->isolate, fun, arg);
   if (remove_handle != nullptr) {
     *remove_handle = new napi_async_cleanup_hook_handle__ { std::move(handle) };
+    env->Ref();
   }
 
   return napi_clear_last_error(env);
@@ -547,6 +548,11 @@ napi_status napi_remove_async_cleanup_hook(
   node::RemoveEnvironmentCleanupHook(std::move(remove_handle->handle));
   delete remove_handle;
 
+  // Release the `env` handle asynchronously since it would be surprising if
+  // a call to a N-API function would destroy `env` synchronously.
+  static_cast<node_napi_env>(env)->node_env()
+      ->SetImmediate([env](node::Environment*) { env->Unref(); });
+
   return napi_clear_last_error(env);
 }