]> git.kaiwu.me - quickjs.git/commitdiff
Fix length check in ArrayBuffer.prototype.slice (bnoordhuis) (#451)
authorFabrice Bellard <fabrice@bellard.org>
Mon, 3 Nov 2025 17:38:20 +0000 (18:38 +0100)
committerFabrice Bellard <fabrice@bellard.org>
Mon, 3 Nov 2025 17:38:20 +0000 (18:38 +0100)
quickjs.c

index b4020d064fea334f30065fb1523ee0c50035dca5..fcc73683fa9f27105cb4003e8f83f62854b9c1e8 100644 (file)
--- a/quickjs.c
+++ b/quickjs.c
@@ -55626,7 +55626,7 @@ static JSValue js_array_buffer_slice(JSContext *ctx,
         goto fail;
     }
     /* must test again because of side effects */
-    if (abuf->detached) {
+    if (abuf->detached || abuf->byte_length < start + new_len) {
         JS_ThrowTypeErrorDetachedArrayBuffer(ctx);
         goto fail;
     }