From b760d1da30c343a98600f8693b5455e00e3f47c5 Mon Sep 17 00:00:00 2001
From: Jarred Sumner <709451+Jarred-Sumner@users.noreply.github.com>
Date: Mon, 17 Jul 2023 23:02:33 -0700
Subject: Fix potential crash in process.dlopen()

---
 src/bun.js/bindings/Process.cpp | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

(limited to 'src/bun.js/bindings/Process.cpp')

diff --git a/src/bun.js/bindings/Process.cpp b/src/bun.js/bindings/Process.cpp
index a7798bf9f..6c58c94dd 100644
--- a/src/bun.js/bindings/Process.cpp
+++ b/src/bun.js/bindings/Process.cpp
@@ -230,23 +230,35 @@ JSC_DEFINE_HOST_FUNCTION(Process_functionDlopen,
 
     auto argCount = callFrame->argumentCount();
     if (argCount < 2) {
-
         JSC::throwTypeError(globalObject, scope, "dlopen requires 2 arguments"_s);
         return JSC::JSValue::encode(JSC::JSValue {});
     }
 
     JSC::JSValue moduleValue = callFrame->uncheckedArgument(0);
-    if (!moduleValue.isObject()) {
+    JSC::JSObject* moduleObject = jsDynamicCast<JSC::JSObject*>(moduleValue);
+    if (UNLIKELY(!moduleObject)) {
         JSC::throwTypeError(globalObject, scope, "dlopen requires an object as first argument"_s);
         return JSC::JSValue::encode(JSC::JSValue {});
     }
-    JSC::Identifier exportsSymbol = JSC::Identifier::fromString(vm, "exports"_s);
-    JSC::JSObject* exports = moduleValue.getObject()->getIfPropertyExists(globalObject, exportsSymbol).getObject();
+
+    JSValue exports = moduleObject->getIfPropertyExists(globalObject, builtinNames(vm).exportsPublicName());
+    RETURN_IF_EXCEPTION(scope, {});
+
+    if (UNLIKELY(!exports)) {
+        JSC::throwTypeError(globalObject, scope, "dlopen requires an object with an exports property"_s);
+        return JSC::JSValue::encode(JSC::JSValue {});
+    }
+
+    globalObject->pendingNapiModule = exports;
+    if (exports.isCell()) {
+        vm.writeBarrier(globalObject, exports.asCell());
+    }
 
     WTF::String filename = callFrame->uncheckedArgument(1).toWTFString(globalObject);
+    RETURN_IF_EXCEPTION(scope, {});
+
     CString utf8 = filename.utf8();
 
-    globalObject->pendingNapiModule = exports;
     void* handle = dlopen(utf8.data(), RTLD_LAZY);
 
     if (!handle) {
-- 
cgit v1.2.3