From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Tue, 31 Aug 2021 13:16:44 +0000 (+0000)
Subject: Fixed %TypedArray%.prototype.join() with detached buffer.
X-Git-Tag: 0.6.2~1
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=0b717e25eeaa9fd0ca93f83ff698ad1d7ec274bd;p=njs.git

Fixed %TypedArray%.prototype.join() with detached buffer.

The TypedArray buffer may be detached while evaluating custom
"separator" argument.  The fix is to move the buffer check below this
point.

Found by Official ECMAScript Conformance Test Suite.
---

diff --git a/src/njs_typed_array.c b/src/njs_typed_array.c
index 7fb6cf1c..94dfd5e8 100644
--- a/src/njs_typed_array.c
+++ b/src/njs_typed_array.c
@@ -2166,6 +2166,11 @@ njs_typed_array_prototype_join(njs_vm_t *vm, njs_value_t *args,
         return NJS_OK;
     }
 
+    if (njs_slow_path(njs_is_detached_buffer(array->buffer))) {
+        njs_type_error(vm, "detached buffer");
+        return NJS_ERROR;
+    }
+
     njs_chb_init(&chain, vm->mem_pool);
 
     length = njs_typed_array_to_chain(vm, &chain, array, separator);
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index f48e2e87..facab421 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -6234,6 +6234,13 @@ static njs_unit_test_t  njs_test[] =
               "           return a.map(q=>q/2).join('|') === '3|2|1'})"),
       njs_str("true") },
 
+#ifdef NJS_TEST262
+    { njs_str("const arr = new Uint8Array([1,2,3]);"
+              "const sep = {toString(){$262.detachArrayBuffer(arr.buffer); return ','}};"
+              "arr.join(sep)"),
+      njs_str("TypeError: detached buffer") },
+#endif
+
     { njs_str("Uint8Array.prototype.reduce.call(1)"),
       njs_str("TypeError: this is not a typed array") },