From 3ec0911fdaed951c724a324ab054bf863cb023a8 Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Mon, 20 Oct 2025 22:58:04 +0200 Subject: [PATCH] Fix length check in Array.prototype.resize Fixes: https://github.com/quickjs-ng/quickjs/issues/1210 --- quickjs.c | 2 +- tests/test_builtin.js | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/quickjs.c b/quickjs.c index 8c4ea925c..a6099dc3c 100644 --- a/quickjs.c +++ b/quickjs.c @@ -54334,7 +54334,7 @@ static JSValue js_array_buffer_slice(JSContext *ctx, goto fail; } /* must test again because of side effects */ - if (abuf->detached) { + if (abuf->detached || abuf->byte_length < start + new_len) { JS_ThrowTypeErrorDetachedArrayBuffer(ctx); goto fail; } diff --git a/tests/test_builtin.js b/tests/test_builtin.js index d19ec55f4..e9e25cfc8 100644 --- a/tests/test_builtin.js +++ b/tests/test_builtin.js @@ -586,6 +586,7 @@ function test_typed_array() try { new TypedArray(); // extensible but not instantiable } catch (e) { + assert(e instanceof TypeError); assert(/cannot be called/.test(e.message)); caught = true; } @@ -598,6 +599,25 @@ function test_typed_array() assert(a[0], 42); buffer.transfer(); assert(a[0], undefined); + + // https://github.com/quickjs-ng/quickjs/issues/1210 + var buffer = new ArrayBuffer(16, {maxByteLength: 16}); + var desc = Object.getOwnPropertyDescriptor(ArrayBuffer, Symbol.species); + assert(typeof desc.get, "function"); + var get = function() { + buffer.resize(1); + return ArrayBuffer; + }; + Object.defineProperty(ArrayBuffer, Symbol.species, {...desc, get}); + let ex; + try { + buffer.slice(); + } catch (ex_) { + ex = ex_; + } + Object.defineProperty(ArrayBuffer, Symbol.species, desc); // restore + assert(ex instanceof TypeError); + assert("ArrayBuffer is detached", ex.message); } function test_json()