details: https://hg.nginx.org/njs/rev/8799bbb1cb5d
branches:
changeset: 1694:8799bbb1cb5d
user: Dmitry Volyntsev <xei...@nginx.com>
date: Tue Aug 31 13:16:44 2021 +0000
description:
Fixed %TypedArray%.prototype.join() with detached buffer.
The TypedArray buffer may be detached while evaluating custom
"separator" argument. The fix is to move the buffer check below this
point.
Found by Official ECMAScript Conformance Test Suite.
diffstat:
src/njs_typed_array.c | 5 +++++
src/test/njs_unit_test.c | 7 +++++++
2 files changed, 12 insertions(+), 0 deletions(-)
diffs (32 lines):
diff -r 99afe1a7f71d -r 8799bbb1cb5d src/njs_typed_array.c
--- a/src/njs_typed_array.c Tue Aug 31 13:16:43 2021 +0000
+++ b/src/njs_typed_array.c Tue Aug 31 13:16:44 2021 +0000
@@ -2166,6 +2166,11 @@ njs_typed_array_prototype_join(njs_vm_t
return NJS_OK;
}
+ if (njs_slow_path(njs_is_detached_buffer(array->buffer))) {
+ njs_type_error(vm, "detached buffer");
+ return NJS_ERROR;
+ }
+
njs_chb_init(&chain, vm->mem_pool);
length = njs_typed_array_to_chain(vm, &chain, array, separator);
diff -r 99afe1a7f71d -r 8799bbb1cb5d src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Tue Aug 31 13:16:43 2021 +0000
+++ b/src/test/njs_unit_test.c Tue Aug 31 13:16:44 2021 +0000
@@ -6234,6 +6234,13 @@ static njs_unit_test_t njs_test[] =
" return a.map(q=>q/2).join('|') === '3|2|1'})"),
njs_str("true") },
+#ifdef NJS_TEST262
+ { njs_str("const arr = new Uint8Array([1,2,3]);"
+ "const sep = {toString(){$262.detachArrayBuffer(arr.buffer);
return ','}};"
+ "arr.join(sep)"),
+ njs_str("TypeError: detached buffer") },
+#endif
+
{ njs_str("Uint8Array.prototype.reduce.call(1)"),
njs_str("TypeError: this is not a typed array") },
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
