Closed
Description
In GHSA-p5g2-876g-95h9, we discovered that in Chromium, a user could run JavaScript code synchronously during ReadableStreamFulfillReadIntoRequest by patching Object.prototype.then, and use this gadget to break some invariants within ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue. Fortunately, Node.js seems unaffected.
The Streams standard has been updated with a proper fix for this case. We now postpone all calls to ReadableByteStreamControllerCommitPullIntoDescriptor until after all pull-into descriptors have been filled up by ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue. This way, we won't trigger any patched then() method until the stream is in a stable state.