Fix potential use-after-free in JSString

kateinoigakukun · kateinoigakukun · commit a4376e3e3653 · 2025-03-27T12:15:23.000Z
The guts' lifetime was not guaranteed to be longer than
`swjs_value_equals` call, which could lead to a use-after-free.
diff --git a/Sources/JavaScriptKit/FundamentalObjects/JSString.swift b/Sources/JavaScriptKit/FundamentalObjects/JSString.swift
@@ -77,7 +77,11 @@ public struct JSString: LosslessStringConvertible, Equatable {
     ///   - lhs: A string to compare.
     ///   - rhs: Another string to compare.
     public static func == (lhs: JSString, rhs: JSString) -> Bool {
-        return swjs_value_equals(lhs.guts.jsRef, rhs.guts.jsRef)
+        withExtendedLifetime(lhs.guts) { lhsGuts in
+            withExtendedLifetime(rhs.guts) { rhsGuts in
+                return swjs_value_equals(lhsGuts.jsRef, rhsGuts.jsRef)
+            }
+        }
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,11 @@ public struct JSString: LosslessStringConvertible, Equatable {`
`77`	`77`	`/// - lhs: A string to compare.`
`78`	`78`	`/// - rhs: Another string to compare.`
`79`	`79`	`public static func == (lhs: JSString, rhs: JSString) -> Bool {`
`80`		`- return swjs_value_equals(lhs.guts.jsRef, rhs.guts.jsRef)`
	`80`	`+ withExtendedLifetime(lhs.guts) { lhsGuts in`
	`81`	`+ withExtendedLifetime(rhs.guts) { rhsGuts in`
	`82`	`+ return swjs_value_equals(lhsGuts.jsRef, rhsGuts.jsRef)`
	`83`	`+ }`
	`84`	`+ }`
`81`	`85`	`}`
`82`	`86`	`}`
`83`	`87`