Fix race between zlib Inflate/Deflate and Dispose (#128752)

rzikm · Copilot · web-flow · commit bdf863682e3f · 2026-06-01T16:23:30.000+02:00
Fixes #128550. `Inflater`/`Deflater` synchronize their native zlib calls via a managed `lock`, but `Dispose` is not synchronized, so a concurrent `Dispose` on one thread could run `InflateEnd`/`DeflateEnd` and free the underlying `z_stream` while another thread was mid-call inside the native `inflate`/`deflate`, leading to use-after-free crashes. The fix moves the protection down into `ZLibStreamHandle`. `Inflate`, `InflateReset2_`, and `Deflate` now bracket their native invocations with `DangerousAddRef`/`DangerousRelease`, which is exactly what `SafeHandle` is designed for: it defers `ReleaseHandle` (and therefore the `InflateEnd`/`DeflateEnd` P/Invoke) until all in-flight callers have released their refs. The redundant `EnsureNotDisposed` check is removed from these methods since `DangerousAddRef` already throws `ObjectDisposedException` for a closed handle. The other `ZLibStreamHandle` members (`DeflateEnd`, `InflateEnd`, `InflateInit2_`, `DeflateInit2_`) are intentionally left as-is: they only run from initialization or from `ReleaseHandle`/`Dispose` paths that are not the racing party. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/src/libraries/Common/src/System/IO/Compression/ZLibNative.cs b/src/libraries/Common/src/System/IO/Compression/ZLibNative.cs
@@ -288,11 +288,6 @@ public uint AvailOut
                 set { _zStream.availOut = value; }
             }
 
-            private void EnsureNotDisposed()
-            {
-                ObjectDisposedException.ThrowIf(InitializationState == State.Disposed, this);
-            }
-
             private void EnsureState(State requiredState)
             {
                 if (InitializationState != requiredState)
@@ -348,18 +343,28 @@ private unsafe void DeflateInit2_(CompressionLevel level, int windowBits, int me
 
             public unsafe ErrorCode Deflate(FlushCode flush)
             {
-                EnsureNotDisposed();
-                EnsureState(State.InitializedForDeflate);
+                bool refAdded = false;
+                try
+                {
+                    DangerousAddRef(ref refAdded);
+                    EnsureState(State.InitializedForDeflate);
 
-                fixed (ZStream* stream = &_zStream)
+                    fixed (ZStream* stream = &_zStream)
+                    {
+                        return Interop.ZLib.Deflate(stream, flush);
+                    }
+                }
+                finally
                 {
-                    return Interop.ZLib.Deflate(stream, flush);
+                    if (refAdded)
+                    {
+                        DangerousRelease();
+                    }
                 }
             }
 
-            public unsafe ErrorCode DeflateEnd()
+            private unsafe ErrorCode DeflateEnd()
             {
-                EnsureNotDisposed();
                 EnsureState(State.InitializedForDeflate);
 
                 fixed (ZStream* stream = &_zStream)
@@ -395,29 +400,50 @@ private unsafe void InflateInit2_(int windowBits)
 
             public unsafe ErrorCode InflateReset2_(int windowBits)
             {
-                EnsureNotDisposed();
-                EnsureState(State.InitializedForInflate);
+                bool refAdded = false;
+                try
+                {
+                    DangerousAddRef(ref refAdded);
+                    EnsureState(State.InitializedForInflate);
 
-                fixed (ZStream* stream = &_zStream)
+                    fixed (ZStream* stream = &_zStream)
+                    {
+                        return Interop.ZLib.InflateReset2_(stream, windowBits);
+                    }
+                }
+                finally
                 {
-                    return Interop.ZLib.InflateReset2_(stream, windowBits);
+                    if (refAdded)
+                    {
+                        DangerousRelease();
+                    }
                 }
             }
 
             public unsafe ErrorCode Inflate(FlushCode flush)
             {
-                EnsureNotDisposed();
-                EnsureState(State.InitializedForInflate);
+                bool refAdded = false;
+                try
+                {
+                    DangerousAddRef(ref refAdded);
+                    EnsureState(State.InitializedForInflate);
 
-                fixed (ZStream* stream = &_zStream)
+                    fixed (ZStream* stream = &_zStream)
+                    {
+                        return Interop.ZLib.Inflate(stream, flush);
+                    }
+                }
+                finally
                 {
-                    return Interop.ZLib.Inflate(stream, flush);
+                    if (refAdded)
+                    {
+                        DangerousRelease();
+                    }
                 }
             }
 
-            public unsafe ErrorCode InflateEnd()
+            private unsafe ErrorCode InflateEnd()
             {
-                EnsureNotDisposed();
                 EnsureState(State.InitializedForInflate);
 
                 fixed (ZStream* stream = &_zStream)
