From 18e2e4439f6fc29159ded7fe9c2b1ee035f864f1 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Fri, 5 Sep 2025 17:53:58 +0200
Subject: [PATCH] fix(emscripten): prevent argv use-after-free

Previously, when overriding `argc/argv` from the window location hash,
the code built temporary `std::vector<std::string>` and
`std::vector<const char*>` on the stack, then reassigned `argv` to
their `.data()`. Once the block ended, both vectors were destroyed,
leaving `argv` pointing into freed memory (UAF).

This patch makes the vectors `static`, ensuring their storage lives for
the entire program lifetime and preventing the invalid pointer access.
---
 renderer/path_fiddle/path_fiddle.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/renderer/path_fiddle/path_fiddle.cpp b/renderer/path_fiddle/path_fiddle.cpp
index 40d0aca77..a05a5316a 100644
--- a/renderer/path_fiddle/path_fiddle.cpp
+++ b/renderer/path_fiddle/path_fiddle.cpp
@@ -412,8 +412,8 @@ int main(int argc, const char** argv)
     // Override argc/argv with the window location hash string.
     char* hash = get_location_hash_str();
     std::stringstream ss(hash);
-    std::vector<std::string> hashStrs;
-    std::vector<const char*> hashArgs;
+    static std::vector<std::string> hashStrs;
+    static std::vector<const char*> hashArgs;
     std::string arg;
 
     hashStrs.push_back("index.html");