From c7727b136b8667328224357df0dbb0378fcf2e69 Mon Sep 17 00:00:00 2001
From: Jarred Sumner <jarred@jarredsumner.com>
Date: Fri, 1 Apr 2022 19:53:37 -0700
Subject: [bun.js] Fix use-after-free in Bun.write

---
 src/javascript/jsc/webcore/response.zig | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/javascript/jsc/webcore/response.zig b/src/javascript/jsc/webcore/response.zig
index a4c83fc43..639ee7f71 100644
--- a/src/javascript/jsc/webcore/response.zig
+++ b/src/javascript/jsc/webcore/response.zig
@@ -1963,7 +1963,6 @@ pub const Blob = struct {
                 file_offset: u64,
             ) AsyncIO.WriteError!SizeType {
                 var aio = &AsyncIO.global;
-                this.wrote = 0;
                 aio.write(
                     *WriteFile,
                     this,
@@ -2006,15 +2005,16 @@ pub const Blob = struct {
                     return;
                 }
 
+                const wrote = this.wrote;
                 bun.default_allocator.destroy(this);
-                cb(cb_ctx, .{ .result = @truncate(SizeType, this.wrote) });
+                cb(cb_ctx, .{ .result = @truncate(SizeType, wrote) });
             }
             pub fn run(this: *WriteFile, task: *WriteFileTask) void {
                 this.runAsyncFrame = async this.runAsync(task);
             }
 
             pub fn onWrite(this: *WriteFile, _: *HTTPClient.NetworkThread.Completion, result: AsyncIO.WriteError!usize) void {
-                this.wrote = @truncate(SizeType, result catch |err| {
+                this.wrote += @truncate(SizeType, result catch |err| {
                     this.errno = err;
                     this.wrote = 0;
                     resume this.write_frame;
-- 
cgit v1.2.3