Check whether a typed array was neutered before writing to it

author jochen <jochen@chromium.org>

Mon, 3 Aug 2015 16:11:14 +0000 (09:11 -0700)

committer Commit bot <commit-bot@chromium.org>

Mon, 3 Aug 2015 16:11:29 +0000 (16:11 +0000)
author jochen <jochen@chromium.org>
Mon, 3 Aug 2015 16:11:14 +0000 (09:11 -0700)
committer Commit bot <commit-bot@chromium.org>
Mon, 3 Aug 2015 16:11:29 +0000 (16:11 +0000)
diff --git a/src/objects.cc b/src/objects.cc

index 1a0a368..8aa73d6 100644 (file)
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3426,6 +3426,12 @@ MaybeHandle<Object> Object::SetDataProperty(LookupIterator* it,
        // have been invalidated since typed array elements cannot be reconfigured
        // in any way.
        it->ReloadHolderMap();
+
+      // We have to recheck the length. However, it can only change if the
+      // underlying buffer was neutered, so just check that.
+      if (Handle<JSArrayBufferView>::cast(receiver)->WasNeutered()) {
+        return value;
+      }
      }
    }
author	jochen <jochen@chromium.org>
	Mon, 3 Aug 2015 16:11:14 +0000 (09:11 -0700)
committer	Commit bot <commit-bot@chromium.org>
	Mon, 3 Aug 2015 16:11:29 +0000 (16:11 +0000)