From 0415f271c324a0db03b145864412d99020591904 Mon Sep 17 00:00:00 2001
From: xurui <xurui115@h-partners.com>
Date: Mon, 1 Apr 2024 19:51:45 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DCVE-2024-2886?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: xurui <xurui115@h-partners.com>
---
 src/builtins/builtins-arraybuffer.cc | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/src/builtins/builtins-arraybuffer.cc b/src/builtins/builtins-arraybuffer.cc
index b1f285b8d..2399f0ec2 100644
--- a/src/builtins/builtins-arraybuffer.cc
+++ b/src/builtins/builtins-arraybuffer.cc
@@ -584,15 +584,11 @@ Object ArrayBufferTransfer(Isolate* isolate, Handle<JSArrayBuffer> array_buffer,
   auto from_backing_store = array_buffer->GetBackingStore();
   if (from_backing_store && !from_backing_store->is_resizable_by_js() &&
       resizable == ResizableFlag::kNotResizable &&
-      (new_byte_length == array_buffer->GetByteLength() ||
-       from_backing_store->CanReallocate())) {
-    // Reallocate covers steps 10-14.
-    if (new_byte_length != array_buffer->GetByteLength() &&
-        !from_backing_store->Reallocate(isolate, new_byte_length)) {
-      THROW_NEW_ERROR_RETURN_FAILURE(
-          isolate,
-          NewRangeError(MessageTemplate::kArrayBufferAllocationFailed));
-    }
+      new_byte_length == array_buffer->GetByteLength()) {
+    // TODO(syg): Consider realloc when the default ArrayBuffer allocator's
+    // Reallocate does better than copy.
+    //
+    // See https://crbug.com/330575496#comment27
 
     // 15. Perform ! DetachArrayBuffer(arrayBuffer).
     JSArrayBuffer::Detach(array_buffer).Check();
-- 
Gitee