diff --git a/quickjs.c b/quickjs.c
index 8c4ea925c..a6099dc3c 100644
--- a/quickjs.c
+++ b/quickjs.c
@@ -54334,7 +54334,7 @@ static JSValue js_array_buffer_slice(JSContext *ctx,
         goto fail;
     }
     /* must test again because of side effects */
-    if (abuf->detached) {
+    if (abuf->detached || abuf->byte_length < start + new_len) {
         JS_ThrowTypeErrorDetachedArrayBuffer(ctx);
         goto fail;
     }
diff --git a/tests/test_builtin.js b/tests/test_builtin.js
index d19ec55f4..e9e25cfc8 100644
--- a/tests/test_builtin.js
+++ b/tests/test_builtin.js
@@ -586,6 +586,7 @@ function test_typed_array()
     try {
         new TypedArray(); // extensible but not instantiable
     } catch (e) {
+        assert(e instanceof TypeError);
         assert(/cannot be called/.test(e.message));
         caught = true;
     }
@@ -598,6 +599,25 @@ function test_typed_array()
     assert(a[0], 42);
     buffer.transfer();
     assert(a[0], undefined);
+
+    // https://github.com/quickjs-ng/quickjs/issues/1210
+    var buffer = new ArrayBuffer(16, {maxByteLength: 16});
+    var desc = Object.getOwnPropertyDescriptor(ArrayBuffer, Symbol.species);
+    assert(typeof desc.get, "function");
+    var get = function() {
+        buffer.resize(1);
+        return ArrayBuffer;
+    };
+    Object.defineProperty(ArrayBuffer, Symbol.species, {...desc, get});
+    let ex;
+    try {
+        buffer.slice();
+    } catch (ex_) {
+        ex = ex_;
+    }
+    Object.defineProperty(ArrayBuffer, Symbol.species, desc); // restore
+    assert(ex instanceof TypeError);
+    assert("ArrayBuffer is detached", ex.message);
 }
 
 function test_json()