LibWeb: Prevent crash when encoding into detached buffer

This handles the case where data is encoded into a detached buffer.
Author: https://github.com/skyz1 Commit: d37d0e4b59 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/4399 Reviewed-by: https://github.com/ADKaster Reviewed-by: https://github.com/trflynn89
2025-07-28 11:49:44 +00:00 · 2025-04-18 18:35:44 +02:00 · 2025-04-18 18:35:44 +02:00 · d37d0e4b59 · 2025-04-19 11:09:12 +00:00
commit d37d0e4b59
parent 8ec420bc28
4 changed files with 301 additions and 0 deletions
--- a/Libraries/LibWeb/Encoding/TextEncoder.cpp
+++ b/Libraries/LibWeb/Encoding/TextEncoder.cpp
@ -53,6 +53,12 @@ GC::Ref<JS::Uint8Array> TextEncoder::encode(String const& input) const
 // https://encoding.spec.whatwg.org/#dom-textencoder-encodeinto
 TextEncoderEncodeIntoResult TextEncoder::encode_into(String const& source, GC::Root<WebIDL::BufferSource> const& destination) const
 {
+    // AD-HOC: Return early if destination is detached. This is not explicitly handled in the spec,
+    //         however no bytes are copied as destinations size is always zero in this case.
+    //         See: https://github.com/whatwg/encoding/issues/324
+    if (destination->viewed_array_buffer()->is_detached())
+        return { 0, 0 };
+
    auto data = destination->viewed_array_buffer()->buffer().bytes().slice(destination->byte_offset(), destination->byte_length());

    // 1. Let read be 0.
@ -91,6 +97,7 @@ TextEncoderEncodeIntoResult TextEncoder::encode_into(String const& source, GC::R

            // 6.4.1.3. Write the bytes in result into destination, with startingOffset set to written.
            // 6.4.1.4. Increment written by the number of bytes in result.
+            // WARNING: See the warning for SharedArrayBuffer objects at https://encoding.spec.whatwg.org/#sharedarraybuffer-warning.
            for (auto byte : result)
                data[written++] = byte;
        }