commit 5c437a2649d0a18e0a4c944d4f2986bbe3bd6705
parent b7a1dc13b2b6bbc956a02bebf81d93b1ab31c179
Author: Florian Dold <florian@dold.me>
Date: Tue, 17 Jun 2025 00:28:01 +0200
fix #10106: memory freed based on uninitialized counter
Diffstat:
1 file changed, 14 insertions(+), 22 deletions(-)
diff --git a/quickjs/quickjs-libc.c b/quickjs/quickjs-libc.c
@@ -4083,22 +4083,18 @@ static void js_free_host_message_pipe(JSHostMessagePipe *ps)
{
struct list_head *el, *el1;
JSHostMessage *msg;
- int ref_count;
if (!ps)
return;
- assert(ref_count >= 0);
- if (ref_count == 0) {
- list_for_each_safe(el, el1, &ps->msg_queue) {
- msg = list_entry(el, JSHostMessage, link);
- js_free_host_message(msg);
- }
- pthread_mutex_destroy(&ps->mutex);
- close(ps->read_fd);
- close(ps->write_fd);
- free(ps);
+ list_for_each_safe(el, el1, &ps->msg_queue) {
+ msg = list_entry(el, JSHostMessage, link);
+ js_free_host_message(msg);
}
+ pthread_mutex_destroy(&ps->mutex);
+ close(ps->read_fd);
+ close(ps->write_fd);
+ free(ps);
}
#ifndef NO_HTTP
@@ -4107,22 +4103,18 @@ static void js_free_http_message_pipe(JSHttpMessagePipe *ps)
{
struct list_head *el, *el1;
JSHttpMessage *msg;
- int ref_count;
if (!ps)
return;
- assert(ref_count >= 0);
- if (ref_count == 0) {
- list_for_each_safe(el, el1, &ps->msg_queue) {
- msg = list_entry(el, JSHttpMessage, link);
- js_free_http_message(msg);
- }
- pthread_mutex_destroy(&ps->mutex);
- close(ps->read_fd);
- close(ps->write_fd);
- free(ps);
+ list_for_each_safe(el, el1, &ps->msg_queue) {
+ msg = list_entry(el, JSHttpMessage, link);
+ js_free_http_message(msg);
}
+ pthread_mutex_destroy(&ps->mutex);
+ close(ps->read_fd);
+ close(ps->write_fd);
+ free(ps);
}
#endif
