Fix use-after-free in ArrayBuffer.prototype.transfer (bnoordhuis) (#450) - use js_array_buffer_update_typed_arrays() in JS_DetachArrayBuffer()

2025-11-15 18:22:15 +03:00 · 2025-11-03 18:23:19 +01:00
parent baa186fc6e
commit 75b5230000
2 changed files with 49 additions and 41 deletions
--- a/tests/test_builtin.js
+++ b/tests/test_builtin.js
@@ -511,6 +511,14 @@ function test_typed_array()
    assert(a.toString(), "1,2,3,4");
    a.set([10, 11], 2);
    assert(a.toString(), "1,2,10,11");
+
+    // https://github.com/quickjs-ng/quickjs/issues/1208
+    buffer = new ArrayBuffer(16);
+    a = new Uint8Array(buffer);
+    a.fill(42);
+    assert(a[0], 42);
+    buffer.transfer();
+    assert(a[0], undefined);
 }

 /* return [s, line_num, col_num] where line_num and col_num are the