[njs] Fixed %TypedArray%.prototype.join() with detached buffer.
Dmitry Volyntsev
xeioex at nginx.com
Tue Aug 31 13:17:47 UTC 2021
details: https://hg.nginx.org/njs/rev/8799bbb1cb5d
branches:
changeset: 1694:8799bbb1cb5d
user: Dmitry Volyntsev <xeioex at nginx.com>
date: Tue Aug 31 13:16:44 2021 +0000
description:
Fixed %TypedArray%.prototype.join() with detached buffer.
The TypedArray buffer may be detached while evaluating custom
"separator" argument. The fix is to move the buffer check below this
point.
Found by Official ECMAScript Conformance Test Suite.
diffstat:
src/njs_typed_array.c | 5 +++++
src/test/njs_unit_test.c | 7 +++++++
2 files changed, 12 insertions(+), 0 deletions(-)
diffs (32 lines):
diff -r 99afe1a7f71d -r 8799bbb1cb5d src/njs_typed_array.c
--- a/src/njs_typed_array.c Tue Aug 31 13:16:43 2021 +0000
+++ b/src/njs_typed_array.c Tue Aug 31 13:16:44 2021 +0000
@@ -2166,6 +2166,11 @@ njs_typed_array_prototype_join(njs_vm_t
return NJS_OK;
}
+ if (njs_slow_path(njs_is_detached_buffer(array->buffer))) {
+ njs_type_error(vm, "detached buffer");
+ return NJS_ERROR;
+ }
+
njs_chb_init(&chain, vm->mem_pool);
length = njs_typed_array_to_chain(vm, &chain, array, separator);
diff -r 99afe1a7f71d -r 8799bbb1cb5d src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Tue Aug 31 13:16:43 2021 +0000
+++ b/src/test/njs_unit_test.c Tue Aug 31 13:16:44 2021 +0000
@@ -6234,6 +6234,13 @@ static njs_unit_test_t njs_test[] =
" return a.map(q=>q/2).join('|') === '3|2|1'})"),
njs_str("true") },
+#ifdef NJS_TEST262
+ { njs_str("const arr = new Uint8Array([1,2,3]);"
+ "const sep = {toString(){$262.detachArrayBuffer(arr.buffer); return ','}};"
+ "arr.join(sep)"),
+ njs_str("TypeError: detached buffer") },
+#endif
+
{ njs_str("Uint8Array.prototype.reduce.call(1)"),
njs_str("TypeError: this is not a typed array") },
More information about the nginx-devel
mailing list