From c1b62bbd72566e040a66aa20770cf94a6a3a2a0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= <s@saghul.net>
Date: Tue, 6 Jan 2026 10:57:24 +0100
Subject: [PATCH] Add tests for OOB access in atomic ops

https://github.com/quickjs-ng/quickjs/issues/1301
https://github.com/quickjs-ng/quickjs/issues/1302
---
 Makefile         |  2 ++
 tests/bug1301.js | 21 +++++++++++++++++++++
 tests/bug1302.js | 24 ++++++++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 tests/bug1301.js
 create mode 100644 tests/bug1302.js

diff --git a/Makefile b/Makefile
index dcbbf7e..1f10b3b 100644
--- a/Makefile
+++ b/Makefile
@@ -454,6 +454,8 @@ test: qjs$(EXE)
 	$(WINE) ./qjs$(EXE) tests/test_bigint.js
 	$(WINE) ./qjs$(EXE) tests/test_cyclic_import.js
 	$(WINE) ./qjs$(EXE) tests/test_worker.js
+	$(WINE) ./qjs$(EXE) tests/bug1301.js
+	$(WINE) ./qjs$(EXE) tests/bug1302.js
 ifndef CONFIG_WIN32
 	$(WINE) ./qjs$(EXE) tests/test_std.js
 endif
diff --git a/tests/bug1301.js b/tests/bug1301.js
new file mode 100644
index 0000000..b47345a
--- /dev/null
+++ b/tests/bug1301.js
@@ -0,0 +1,21 @@
+/*---
+features: [skip-if-tcc]
+---*/
+
+import {assert} from "./assert.js"
+
+const rab = new ArrayBuffer(1024, { maxByteLength: 1024 * 1024 });
+const i32 = new Int32Array(rab);
+const evil = {
+    valueOf: () => {
+        rab.resize(0);
+        return 123;
+    }
+};
+
+try {
+  Atomics.store(i32, 0, evil);
+  throw Error("Should not get here");
+} catch (e) {
+  assert(e instanceof RangeError);
+}
diff --git a/tests/bug1302.js b/tests/bug1302.js
new file mode 100644
index 0000000..8ce53df
--- /dev/null
+++ b/tests/bug1302.js
@@ -0,0 +1,24 @@
+/*---
+features: [skip-if-tcc]
+---*/
+
+import {assert} from "./assert.js"
+
+const rab = new ArrayBuffer(1024, { maxByteLength: 1024 * 1024 });
+const i32 = new Int32Array(rab);
+const evil = {
+    valueOf: () => {
+        rab.resize(0);
+        return 123;
+    }
+};
+try {
+  Atomics.add(i32, 0, evil);
+  // Atomics.sub(i32, 0, evil);
+  // Atomics.and(i32, 0, evil);
+  // Atomics.or(i32, 0, evil);
+  // Atomics.xor(i32, 0, evil);
+  throw Error("Should not get here");
+} catch (e) {
+  assert(e instanceof RangeError);
+}