From 2034d042cedd952ff0897d29422cfa68d0d5e029 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 20 Nov 2025 17:23:56 +0000 Subject: [PATCH 1/4] Initial plan From 7d5fa4d3010c7518d16527f88db67bd9f977bed7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 20 Nov 2025 17:27:27 +0000 Subject: [PATCH 2/4] Add security note to ArrayPool.Return documentation Co-authored-by: jkotas <6668460+jkotas@users.noreply.github.com> --- xml/System.Buffers/ArrayPool`1.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/xml/System.Buffers/ArrayPool`1.xml b/xml/System.Buffers/ArrayPool`1.xml index 181bd81cb92..b98526f39ab 100644 --- a/xml/System.Buffers/ArrayPool`1.xml +++ b/xml/System.Buffers/ArrayPool`1.xml @@ -309,6 +309,9 @@ The array returned by this method may not be zero-initialized. ## Remarks Once a buffer has been returned to the pool, the caller gives up all ownership of the buffer and must not use it. The reference returned from a given call to the method must only be returned using the method once. The default may hold onto the returned buffer in order to rent it again, or it may release the returned buffer if it's determined that the pool already has enough buffers stored. + +> [!IMPORTANT] +> Returning the same array reference twice or continuing to use the array reference after it has been returned is a high-severity security issue. These actions can lead to [double-free](https://cwe.mitre.org/data/definitions/415.html) and [use-after-free](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities, which might result in memory corruption, data leaks, or arbitrary code execution. ]]> From 967877b5e3c6e6a8ab8bd28364ba4745e7665518 Mon Sep 17 00:00:00 2001 From: Jan Kotas Date: Thu, 20 Nov 2025 09:29:28 -0800 Subject: [PATCH 3/4] Update xml/System.Buffers/ArrayPool`1.xml --- xml/System.Buffers/ArrayPool`1.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Buffers/ArrayPool`1.xml b/xml/System.Buffers/ArrayPool`1.xml index b98526f39ab..24043f7ad37 100644 --- a/xml/System.Buffers/ArrayPool`1.xml +++ b/xml/System.Buffers/ArrayPool`1.xml @@ -311,7 +311,7 @@ The array returned by this method may not be zero-initialized. Once a buffer has been returned to the pool, the caller gives up all ownership of the buffer and must not use it. The reference returned from a given call to the method must only be returned using the method once. The default may hold onto the returned buffer in order to rent it again, or it may release the returned buffer if it's determined that the pool already has enough buffers stored. > [!IMPORTANT] -> Returning the same array reference twice or continuing to use the array reference after it has been returned is a high-severity security issue. These actions can lead to [double-free](https://cwe.mitre.org/data/definitions/415.html) and [use-after-free](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities, which might result in memory corruption, data leaks, or arbitrary code execution. +> Returning the same array reference twice or continuing to use the array reference after it has been returned is a high-severity security issue. These actions can lead to [double-free](https://cwe.mitre.org/data/definitions/415.html) and [use-after-free](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities, which might result in data corruption, data leaks and denial of service. ]]> From bbef604d5eae292cd7c55fc6c1abbbf44694892f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 20 Nov 2025 17:39:33 +0000 Subject: [PATCH 4/4] Add Oxford comma to security warning list Co-authored-by: jkotas <6668460+jkotas@users.noreply.github.com> --- xml/System.Buffers/ArrayPool`1.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Buffers/ArrayPool`1.xml b/xml/System.Buffers/ArrayPool`1.xml index 24043f7ad37..7fedb6e085c 100644 --- a/xml/System.Buffers/ArrayPool`1.xml +++ b/xml/System.Buffers/ArrayPool`1.xml @@ -311,7 +311,7 @@ The array returned by this method may not be zero-initialized. Once a buffer has been returned to the pool, the caller gives up all ownership of the buffer and must not use it. The reference returned from a given call to the method must only be returned using the method once. The default may hold onto the returned buffer in order to rent it again, or it may release the returned buffer if it's determined that the pool already has enough buffers stored. > [!IMPORTANT] -> Returning the same array reference twice or continuing to use the array reference after it has been returned is a high-severity security issue. These actions can lead to [double-free](https://cwe.mitre.org/data/definitions/415.html) and [use-after-free](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities, which might result in data corruption, data leaks and denial of service. +> Returning the same array reference twice or continuing to use the array reference after it has been returned is a high-severity security issue. These actions can lead to [double-free](https://cwe.mitre.org/data/definitions/415.html) and [use-after-free](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities, which might result in data corruption, data leaks, and denial of service. ]]>