From f4e48d79c089e129cef49fd2990036e2155887da Mon Sep 17 00:00:00 2001
From: =?utf8?q?Andr=C3=A9=20Bargull?= <andre.bargull@gmail.com>
Date: Fri, 26 Jan 2024 08:17:41 +0000
Subject: [PATCH] Bug 1842773 - Part 22: Validate length is in-bounds for
 TypedArray iterator methods. r=sfink

Simply calls `PossiblyWrappedTypedArrayLength` which throws an error for
out-of-bounds TypedArrays.

Differential Revision: https://phabricator.services.mozilla.com/D183339
---
 js/src/builtin/TypedArray.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/js/src/builtin/TypedArray.js b/js/src/builtin/TypedArray.js
index bd69ce938bd9..28cd66c361c2 100644
--- a/js/src/builtin/TypedArray.js
+++ b/js/src/builtin/TypedArray.js
@@ -231,6 +231,10 @@ function TypedArrayEntries() {
   // Step 2-6.
   EnsureTypedArrayWithArrayBuffer(O);
 
+  // We also need to make sure the length is in-bounds. This is checked by
+  // calling PossiblyWrappedTypedArrayLength, which throws for out-of-bounds.
+  PossiblyWrappedTypedArrayLength(O);
+
   // Step 7.
   return CreateArrayIterator(O, ITEM_KIND_KEY_AND_VALUE);
 }
@@ -697,6 +701,7 @@ function TypedArrayKeys() {
 
   // Step 2.
   EnsureTypedArrayWithArrayBuffer(O);
+  PossiblyWrappedTypedArrayLength(O);
 
   // Step 3.
   return CreateArrayIterator(O, ITEM_KIND_KEY);
@@ -1427,6 +1432,7 @@ function $TypedArrayValues() {
 
   // See the big comment in TypedArrayEntries for what we're doing here.
   EnsureTypedArrayWithArrayBuffer(O);
+  PossiblyWrappedTypedArrayLength(O);
 
   // Step 7.
   return CreateArrayIterator(O, ITEM_KIND_VALUE);
-- 
2.11.4.GIT