From c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea Mon Sep 17 00:00:00 2001
From: Fabrice Bellard <fabrice@bellard.org>
Date: Mon, 3 Nov 2025 18:38:20 +0100
Subject: [PATCH] Fix length check in ArrayBuffer.prototype.slice (bnoordhuis)
 (#451)

---
 quickjs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/quickjs.c b/quickjs.c
index b4020d0..fcc7368 100644
--- a/quickjs.c
+++ b/quickjs.c
@@ -55626,7 +55626,7 @@ static JSValue js_array_buffer_slice(JSContext *ctx,
         goto fail;
     }
     /* must test again because of side effects */
-    if (abuf->detached) {
+    if (abuf->detached || abuf->byte_length < start + new_len) {
         JS_ThrowTypeErrorDetachedArrayBuffer(ctx);
         goto fail;
     }