zlib: fix use-after-free when reset() is called during write

The Reset() method did not check the write_in_progress_ flag before
resetting the compression stream. This allowed reset() to free the
compression library's internal state while a worker thread was still
using it during an async write, causing a use-after-free.

Add a write_in_progress_ guard to Reset() that throws an error if a
write is in progress, matching the existing pattern used by Close()
and Write().

PR-URL: TODO
Refs: https://hackerone.com/reports/3609132

Author: mcollina

src/node_zlib.cc

@@ -644,6 +644,12 @@ class CompressionStream : public AsyncWrap,
     CompressionStream* wrap;
     ASSIGN_OR_RETURN_UNWRAP(&wrap, args.This());
 
+    if (wrap->write_in_progress_) {
+      wrap->env()->ThrowError(
+          "Cannot reset zlib stream while a write is in progress");
+      return;
+    }
+
     AllocScope alloc_scope(wrap);
     const CompressionError err = wrap->context()->ResetStream();
     if (err.IsError())

test/parallel/test-zlib-reset-during-write.js

@@ -0,0 +1,23 @@
+'use strict';
+const common = require('../common');
+const assert = require('assert');
+const { createBrotliCompress, createDeflate } = require('zlib');
+
+// Tests that calling .reset() while an async write is in progress
+// throws an error instead of causing a use-after-free.
+
+for (const factory of [createBrotliCompress, createDeflate]) {
+  const stream = factory();
+  const input = Buffer.alloc(1024, 0x41);
+
+  stream.write(input, common.mustCall());
+  stream.on('error', common.mustNotCall());
+
+  // The write has been dispatched to the thread pool.
+  // Calling reset while write is in progress must throw.
+  assert.throws(() => {
+    stream._handle.reset();
+  }, {
+    message: 'Cannot reset zlib stream while a write is in progress',
+  });
+}