From 785389d15b91d6158d0587810868275b68ac1de4 Mon Sep 17 00:00:00 2001
From: Daniel Henry-Mantilla <daniel.henry.mantilla@gmail.com>
Date: Fri, 5 Feb 2021 17:37:48 +0100
Subject: [PATCH] [cli] Fix the UAF with by-value receivers and `--weak-refs`

Fixes https://github.com/rustwasm/wasm-bindgen/issues/2447
---
 crates/cli-support/src/js/binding.rs | 9 ++++-----
 crates/cli-support/src/js/mod.rs     | 7 ++++++-
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/crates/cli-support/src/js/binding.rs b/crates/cli-support/src/js/binding.rs
index 572a8359542..db1550ae1e0 100644
--- a/crates/cli-support/src/js/binding.rs
+++ b/crates/cli-support/src/js/binding.rs
@@ -124,15 +124,14 @@ impl<'a, 'b> Builder<'a, 'b> {
                 drop(params.next());
                 if js.cx.config.debug {
                     js.prelude(
-                        "if (this.ptr == 0) throw new Error('Attempt to use a moved value');\n",
+                        "if (this.ptr == 0) throw new Error('Attempt to use a moved value');",
                     );
                 }
                 if consumes_self {
-                    js.prelude("var ptr = this.ptr;");
-                    js.prelude("this.ptr = 0;");
-                    js.args.push("ptr".to_string());
+                    js.prelude("const ptr = this.__destroy_into_raw();");
+                    js.args.push("ptr".into());
                 } else {
-                    js.args.push("this.ptr".to_string());
+                    js.args.push("this.ptr".into());
                 }
             }
             None => {}
diff --git a/crates/cli-support/src/js/mod.rs b/crates/cli-support/src/js/mod.rs
index 9fe2e99e25a..ed4de3da84b 100644
--- a/crates/cli-support/src/js/mod.rs
+++ b/crates/cli-support/src/js/mod.rs
@@ -846,10 +846,15 @@ impl<'a> Context<'a> {
 
         dst.push_str(&format!(
             "
-            free() {{
+            __destroy_into_raw() {{
                 const ptr = this.ptr;
                 this.ptr = 0;
                 {}
+                return ptr;
+            }}
+
+            free() {{
+                const ptr = this.__destroy_into_raw();
                 wasm.{}(ptr);
             }}
             ",