Check returned ArrayBuffer in DataView buffer getter. (#243)

This patch fixes #135. Signed-off-by: Robert Fancsik [email protected]
Samsung · May 10, 2019 · 02d14ea · 02d14ea
1 parent 0caf44d
commit 02d14ea
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 1 deletion.
diff --git a/src/runtime/GlobalObjectBuiltinDataView.cpp b/src/runtime/GlobalObjectBuiltinDataView.cpp
@@ -125,7 +125,10 @@ FOR_EACH_DATAVIEW_TYPES(DECLARE_DATAVIEW_SETTER);
 static Value builtinDataViewBufferGetter(ExecutionState& state, Value thisValue, size_t argc, Value* argv, bool isNewExpression)
 {
     if (LIKELY(thisValue.isPointerValue() && thisValue.asPointerValue()->isDataViewObject())) {
-        return Value(thisValue.asObject()->asArrayBufferView()->buffer());
+        ArrayBufferObject* buffer = thisValue.asObject()->asArrayBufferView()->buffer();
+        if (buffer) {
+            return Value(buffer);
+        }
     }
     ErrorObject::throwBuiltinError(state, ErrorObject::TypeError, "get DataView.prototype.buffer called on incompatible receiver");
     RELEASE_ASSERT_NOT_REACHED();

diff --git a/test/regression-tests/issue-135.js b/test/regression-tests/issue-135.js
@@ -0,0 +1,64 @@
+/* Copyright 2019-present Samsung Electronics Co., Ltd. and other contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function collect(value) {
+    var primitive = y(value)
+    if (primitive) return
+    var index = z(value)
+    if (index !== -1) { return }
+    else {
+        x.push({ })
+        index = x.length - 1
+        x[ index ].fv = value
+    }
+
+    var ps = Object.getOwnPropertyNames(value)
+    for (var i = 0; i < ps.length; i++) {
+        var p = ps[i]
+        if (a(value, p)) {
+            collect(value[p])
+        }
+    }
+}
+
+function y(value) {
+    if (value === null)
+        return "null"
+    var vt = typeof value
+    if (vt !== "function" && vt !== "object")
+        return vt
+}
+
+function a(value, field) {
+    try {
+        value[field]
+        return true
+    } catch ( $ ) { }
+}
+
+function z(value) {
+    for (var i = 0; i < x.length; i++) {
+        if (value === x[ i ].fv)
+             return i
+    }
+    return -1
+}
+
+var x = [ ];
+collect(this);