Advisories for Cargo/Neon package

2022

Use after free in Neon external buffers

Neon provides functionality for creating JavaScript ArrayBuffer (and the Buffer subtype) instances backed by bytes allocated outside of V8/Node. The JsArrayBuffer::external and JsBuffer::external did not require T: 'static prior to Neon 0.10.1. This allowed creating an externally backed buffer from types that may be freed while they are still referenced by a JavaScript ArrayBuffer. The following example demonstrates use after free. It compiles on versions <0.10.1 and fails to compile …