From 02d14eada31a04da8cc36b8f8ff50be824f47892 Mon Sep 17 00:00:00 2001
From: Robert Fancsik <frobert@inf.u-szeged.hu>
Date: Fri, 10 May 2019 06:52:26 +0200
Subject: [PATCH] Check returned ArrayBuffer in DataView buffer getter. (#243)

This patch fixes #135.

Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
---
 src/runtime/GlobalObjectBuiltinDataView.cpp |  5 +-
 test/regression-tests/issue-135.js          | 64 +++++++++++++++++++++
 2 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 test/regression-tests/issue-135.js

diff --git a/src/runtime/GlobalObjectBuiltinDataView.cpp b/src/runtime/GlobalObjectBuiltinDataView.cpp
index c0ddcecb1..d24c9c7ca 100644
--- a/src/runtime/GlobalObjectBuiltinDataView.cpp
+++ b/src/runtime/GlobalObjectBuiltinDataView.cpp
@@ -125,7 +125,10 @@ FOR_EACH_DATAVIEW_TYPES(DECLARE_DATAVIEW_SETTER);
 static Value builtinDataViewBufferGetter(ExecutionState& state, Value thisValue, size_t argc, Value* argv, bool isNewExpression)
 {
     if (LIKELY(thisValue.isPointerValue() && thisValue.asPointerValue()->isDataViewObject())) {
-        return Value(thisValue.asObject()->asArrayBufferView()->buffer());
+        ArrayBufferObject* buffer = thisValue.asObject()->asArrayBufferView()->buffer();
+        if (buffer) {
+            return Value(buffer);
+        }
     }
     ErrorObject::throwBuiltinError(state, ErrorObject::TypeError, "get DataView.prototype.buffer called on incompatible receiver");
     RELEASE_ASSERT_NOT_REACHED();
diff --git a/test/regression-tests/issue-135.js b/test/regression-tests/issue-135.js
new file mode 100644
index 000000000..66ae0242c
--- /dev/null
+++ b/test/regression-tests/issue-135.js
@@ -0,0 +1,64 @@
+/* Copyright 2019-present Samsung Electronics Co., Ltd. and other contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function collect(value) {
+    var primitive = y(value)
+    if (primitive) return
+    var index = z(value)
+    if (index !== -1) { return }
+    else {
+        x.push({ })
+        index = x.length - 1
+        x[ index ].fv = value
+    }
+
+    var ps = Object.getOwnPropertyNames(value)
+    for (var i = 0; i < ps.length; i++) {
+        var p = ps[i]
+        if (a(value, p)) {
+            collect(value[p])
+        }
+    }
+}
+
+function y(value) {
+    if (value === null)
+        return "null"
+    var vt = typeof value
+    if (vt !== "function" && vt !== "object")
+        return vt
+}
+
+function a(value, field) {
+    try {
+        value[field]
+        return true
+    } catch ( $ ) { }
+}
+
+function z(value) {
+    for (var i = 0; i < x.length; i++) {
+        if (value === x[ i ].fv)
+             return i
+    }
+    return -1
+}
+
+var x = [ ];
+collect(this);