Repro:
auto buf = JS_NewArrayBufferCopy(ctx, (uint8_t *)s, len);
auto uint8Array = JS_NewTypedArray(ctx, 1, &buf, JS_TYPED_ARRAY_UINT8);
The intention is to simulate new Uint8Array(arrayBuffer) for an array buffer copied from a string.
This results in calling js_typed_array_constructor which accesses argv[2], although argc is 1 - that arg is unrelated garbage and in some cases results in an invalid length error. It's possible I'm misusing this API, but it looks odd that js_typed_array_constructor takes an argc but never checks it.
Repro:
The intention is to simulate
new Uint8Array(arrayBuffer)for an array buffer copied from a string.This results in calling
js_typed_array_constructorwhich accessesargv[2], although argc is 1 - that arg is unrelated garbage and in some cases results in aninvalid lengtherror. It's possible I'm misusing this API, but it looks odd thatjs_typed_array_constructortakes an argc but never checks it.