From 0b717e25eeaa9fd0ca93f83ff698ad1d7ec274bd Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Tue, 31 Aug 2021 13:16:44 +0000 Subject: [PATCH] Fixed %TypedArray%.prototype.join() with detached buffer. The TypedArray buffer may be detached while evaluating custom "separator" argument. The fix is to move the buffer check below this point. Found by Official ECMAScript Conformance Test Suite. --- src/njs_typed_array.c | 5 +++++ src/test/njs_unit_test.c | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/src/njs_typed_array.c b/src/njs_typed_array.c index 7fb6cf1c..94dfd5e8 100644 --- a/src/njs_typed_array.c +++ b/src/njs_typed_array.c @@ -2166,6 +2166,11 @@ njs_typed_array_prototype_join(njs_vm_t *vm, njs_value_t *args, return NJS_OK; } + if (njs_slow_path(njs_is_detached_buffer(array->buffer))) { + njs_type_error(vm, "detached buffer"); + return NJS_ERROR; + } + njs_chb_init(&chain, vm->mem_pool); length = njs_typed_array_to_chain(vm, &chain, array, separator); diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c index f48e2e87..facab421 100644 --- a/src/test/njs_unit_test.c +++ b/src/test/njs_unit_test.c @@ -6234,6 +6234,13 @@ static njs_unit_test_t njs_test[] = " return a.map(q=>q/2).join('|') === '3|2|1'})"), njs_str("true") }, +#ifdef NJS_TEST262 + { njs_str("const arr = new Uint8Array([1,2,3]);" + "const sep = {toString(){$262.detachArrayBuffer(arr.buffer); return ','}};" + "arr.join(sep)"), + njs_str("TypeError: detached buffer") }, +#endif + { njs_str("Uint8Array.prototype.reduce.call(1)"), njs_str("TypeError: this is not a typed array") }, -- 2.47.3