mirror/browser
1
0
Fork 0
mirror of https://github.com/lightpanda-io/browser.git synced 2026-06-11 01:25:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

agent: prevent use-after-free in synthesizeSave

Browse Source
This commit is contained in:
Adrià Arrufat
2026-06-02 15:26:27 +02:00
parent 8739fbcb4b
commit db21f658f0
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/agent/Agent.zig
View File

@@ -893,9 +893,13 @@ fn synthesizeSave(self: *Agent, arena: std.mem.Allocator, filename: ?[]const u8,
return self.failSave("the model returned no script");
};
// Dupe out of `result.arena` (freed below) and `message_arena` (rebuilt by
// rollback) into the command arena before either is reclaimed.
const script = browser_tools.reverseSubstituteEnvVars(arena, stripCodeFence(raw)) catch {
// `result.text` lives in `message_arena`, which the rollback below frees;
// copy into the command arena first (scrubbing may return its input as-is).
const owned = arena.dupe(u8, stripCodeFence(raw)) catch {
self.rollbackMessages(baseline);
return self.failSave("out of memory");
};
const script = browser_tools.reverseSubstituteEnvVars(arena, owned) catch {
self.rollbackMessages(baseline);
return self.failSave("out of memory");
};