handle_wrap: fix NULL pointer dereference

bnoordhuis · bnoordhuis · commit ccd37226c6d3 · 2013-04-16T23:11:03.000+02:00
Fix a NULL pointer dereference in src/handle_wrap.cc which is really a
use-after-close bug.

The test checks that unref() after close() works on process.stdout but
this bug affects everything that derives from HandleWrap. I discovered
it because child processes would sometimes quit for no reason (that is,
no reason until I turned on core dumps.)
diff --git a/src/handle_wrap.cc b/src/handle_wrap.cc
@@ -57,7 +57,7 @@ Handle<Value> HandleWrap::Ref(const Arguments& args) {
 
   UNWRAP_NO_ABORT(HandleWrap)
 
-  if (wrap) {
+  if (wrap != NULL && wrap->handle__ != NULL) {
     uv_ref(wrap->handle__);
     wrap->flags_ &= ~kUnref;
   }
@@ -71,7 +71,7 @@ Handle<Value> HandleWrap::Unref(const Arguments& args) {
 
   UNWRAP_NO_ABORT(HandleWrap)
 
-  if (wrap) {
+  if (wrap != NULL && wrap->handle__ != NULL) {
     uv_unref(wrap->handle__);
     wrap->flags_ |= kUnref;
   }
diff --git a/test/simple/test-stdout-close-unref.js b/test/simple/test-stdout-close-unref.js
@@ -0,0 +1,23 @@
+// Copyright Joyent, Inc. and other Node contributors.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to permit
+// persons to whom the Software is furnished to do so, subject to the
+// following conditions:
+//
+// The above copyright notice and this permission notice shall be included
+// in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+// USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+process.stdout._handle.close();
+process.stdout._handle.unref();  // Should not segfault.

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ Handle<Value> HandleWrap::Ref(const Arguments& args) {`
`57`	`57`
`58`	`58`	`UNWRAP_NO_ABORT(HandleWrap)`
`59`	`59`
`60`		`- if (wrap) {`
	`60`	`+ if (wrap != NULL && wrap->handle__ != NULL) {`
`61`	`61`	`uv_ref(wrap->handle__);`
`62`	`62`	`wrap->flags_ &= ~kUnref;`
`63`	`63`	`}`
`@@ -71,7 +71,7 @@ Handle<Value> HandleWrap::Unref(const Arguments& args) {`
`71`	`71`
`72`	`72`	`UNWRAP_NO_ABORT(HandleWrap)`
`73`	`73`
`74`		`- if (wrap) {`
	`74`	`+ if (wrap != NULL && wrap->handle__ != NULL) {`
`75`	`75`	`uv_unref(wrap->handle__);`
`76`	`76`	`wrap->flags_ \|= kUnref;`
`77`	`77`	`}`