Skip to content

install(UpdateRequest): heap-allocate spec normalizer temp buffer #30064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Jarred-Sumner merged 1 commit into from
May 2, 2026
Merged

install(UpdateRequest): heap-allocate spec normalizer temp buffer #30064

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions src/install/PackageManager/UpdateRequest.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,10 +125,14 @@ fn parseWithError(
outer: for (positionals) |positional| {
var input: []u8 = bun.handleOom(bun.default_allocator.dupe(u8, std.mem.trim(u8, positional, " \n\r\t")));
{
var temp: [2048]u8 = undefined;
const len = std.mem.replace(u8, input, "\\\\", "/", &temp);
bun.path.platformToPosixInPlace(u8, &temp);
// Replacing "\\\\" (2 bytes) with "/" (1 byte) never grows the string, so a
// buffer of `input.len` bytes is always sufficient. Previously this was a
// fixed `[2048]u8` stack array which overflowed for longer positionals.
const temp = bun.handleOom(bun.default_allocator.alloc(u8, input.len));
defer bun.default_allocator.free(temp);
const len = std.mem.replace(u8, input, "\\\\", "/", temp);
const input2 = temp[0 .. input.len - len];
bun.path.platformToPosixInPlace(u8, input2);
@memcpy(input[0..input2.len], input2);
input.len = input2.len;
}
Expand Down
34 changes: 34 additions & 0 deletions test/cli/install/bun-add.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,6 +362,40 @@ it.each(["fileblah://"])("should reject invalid path without segfault: %s", asyn
);
});

it("should reject positionals longer than 2048 bytes without stack overflow", async () => {
await writeFile(
join(package_dir, "package.json"),
JSON.stringify({
name: "bar",
version: "0.0.2",
}),
);
// Previously the spec normalizer wrote the full positional into a 2048-byte
// stack buffer with no bounds check, smashing the stack in ReleaseFast and
// tripping ASAN in debug builds.
const dep = Buffer.alloc(8000, "a").toString();
const { stdout, stderr, exited } = spawn({
cmd: [bunExe(), "add", dep],
cwd: package_dir,
stdout: "pipe",
stdin: "pipe",
stderr: "pipe",
env,
});
const err = await stderr.text();
expect(err).toContain(`error: unrecognised dependency format: ${dep}`);

const out = await stdout.text();
expect(out).toEqual(expect.stringContaining("bun add v1."));
expect(await exited).toBe(1);
expect(await file(join(package_dir, "package.json")).text()).toEqual(
JSON.stringify({
name: "bar",
version: "0.0.2",
}),
);
});

it("should handle semver-like names", async () => {
const urls: string[] = [];
setHandler(async request => {
Expand Down
Loading