]> git.kaiwu.me - njs.git/commitdiff
QuickJS: fix fetch() init property value leaks
authorDmitry Volyntsev <xeioex@nginx.com>
Fri, 12 Jun 2026 00:34:23 +0000 (17:34 -0700)
committerDmitry Volyntsev <xeioexception@gmail.com>
Fri, 12 Jun 2026 03:26:59 +0000 (20:26 -0700)
Previously, the values of the buffer_size, max_response_body_size
and verify init properties were not released after conversion,
leaking heap values such as objects with a valueOf() method.

nginx/ngx_qjs_fetch.c

index 854deb521c32d3bfa1a349050d1565d333c06644..535773bc022ebe1977a9b236a673a3b7c65d9d70 100644 (file)
@@ -287,8 +287,10 @@ ngx_qjs_ext_fetch(JSContext *cx, JSValueConst this_val, int argc,
         }
 
         if (!JS_IsUndefined(value)) {
-            if (JS_ToInt64(cx, (int64_t *) &http->buffer_size, value) < 0) {
-                JS_FreeValue(cx, value);
+            rc = JS_ToInt64(cx, (int64_t *) &http->buffer_size, value);
+            JS_FreeValue(cx, value);
+
+            if (rc < 0) {
                 goto fail;
             }
         }
@@ -299,10 +301,11 @@ ngx_qjs_ext_fetch(JSContext *cx, JSValueConst this_val, int argc,
         }
 
         if (!JS_IsUndefined(value)) {
-            if (JS_ToInt64(cx, (int64_t *) &http->max_response_body_size,
-                           value) < 0)
-            {
-                JS_FreeValue(cx, value);
+            rc = JS_ToInt64(cx, (int64_t *) &http->max_response_body_size,
+                            value);
+            JS_FreeValue(cx, value);
+
+            if (rc < 0) {
                 goto fail;
             }
         }
@@ -315,6 +318,7 @@ ngx_qjs_ext_fetch(JSContext *cx, JSValueConst this_val, int argc,
 
         if (!JS_IsUndefined(value)) {
             http->ssl_verify = JS_ToBool(cx, value);
+            JS_FreeValue(cx, value);
         }
 #endif
     }