Welcome! Log In Create A New Profile

Advanced

[njs] Fixed %TypedArray%.prototype.join() with detached buffer.

Dmitry Volyntsev
August 31, 2021 09:18AM
details: https://hg.nginx.org/njs/rev/8799bbb1cb5d
branches:
changeset: 1694:8799bbb1cb5d
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Tue Aug 31 13:16:44 2021 +0000
description:
Fixed %TypedArray%.prototype.join() with detached buffer.

The TypedArray buffer may be detached while evaluating custom
"separator" argument. The fix is to move the buffer check below this
point.

Found by Official ECMAScript Conformance Test Suite.

diffstat:

src/njs_typed_array.c | 5 +++++
src/test/njs_unit_test.c | 7 +++++++
2 files changed, 12 insertions(+), 0 deletions(-)

diffs (32 lines):

diff -r 99afe1a7f71d -r 8799bbb1cb5d src/njs_typed_array.c
--- a/src/njs_typed_array.c Tue Aug 31 13:16:43 2021 +0000
+++ b/src/njs_typed_array.c Tue Aug 31 13:16:44 2021 +0000
@@ -2166,6 +2166,11 @@ njs_typed_array_prototype_join(njs_vm_t
return NJS_OK;
}

+ if (njs_slow_path(njs_is_detached_buffer(array->buffer))) {
+ njs_type_error(vm, "detached buffer");
+ return NJS_ERROR;
+ }
+
njs_chb_init(&chain, vm->mem_pool);

length = njs_typed_array_to_chain(vm, &chain, array, separator);
diff -r 99afe1a7f71d -r 8799bbb1cb5d src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Tue Aug 31 13:16:43 2021 +0000
+++ b/src/test/njs_unit_test.c Tue Aug 31 13:16:44 2021 +0000
@@ -6234,6 +6234,13 @@ static njs_unit_test_t njs_test[] =
" return a.map(q=>q/2).join('|') === '3|2|1'})"),
njs_str("true") },

+#ifdef NJS_TEST262
+ { njs_str("const arr = new Uint8Array([1,2,3]);"
+ "const sep = {toString(){$262.detachArrayBuffer(arr.buffer); return ','}};"
+ "arr.join(sep)"),
+ njs_str("TypeError: detached buffer") },
+#endif
+
{ njs_str("Uint8Array.prototype.reduce.call(1)"),
njs_str("TypeError: this is not a typed array") },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[njs] Fixed %TypedArray%.prototype.join() with detached buffer.

Dmitry Volyntsev 83 August 31, 2021 09:18AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 66
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready