[node:vm] Fix crash when `new ArrayBuffer()` is returned

2 files changed, 25 insertions, 0 deletions

diff --git a/src/bun.js/bindings/webcore/WebCoreTypedArrayController.cpp b/src/bun.js/bindings/webcore/WebCoreTypedArrayController.cpp
index 4c9660e26..ca8c79aef 100644
--- a/src/bun.js/bindings/webcore/WebCoreTypedArrayController.cpp
+++ b/src/bun.js/bindings/webcore/WebCoreTypedArrayController.cpp
@@ -51,6 +51,10 @@ JSC::JSArrayBuffer* WebCoreTypedArrayController::toJS(JSC::JSGlobalObject* lexic
 
 void WebCoreTypedArrayController::registerWrapper(JSC::JSGlobalObject* globalObject, JSC::ArrayBuffer* native, JSC::JSArrayBuffer* wrapper)
 {
+    // require("vm") can be used to create an ArrayBuffer
+    if (UNLIKELY(!globalObject->inherits<JSDOMGlobalObject>()))
+        return;
+
     cacheWrapper(JSC::jsCast<JSDOMGlobalObject*>(globalObject)->world(), native, wrapper);
 }
 
diff --git a/test/js/node/vm/vm.test.ts b/test/js/node/vm/vm.test.ts
index 1aba597c7..510448c5e 100644
--- a/test/js/node/vm/vm.test.ts
+++ b/test/js/node/vm/vm.test.ts
@@ -74,6 +74,27 @@ function testRunInContext(
     const result = fn("1 + 1; 2 * 2; 3 / 3", context);
     expect(result).toBe(1);
   });
+
+  for (let View of [
+    ArrayBuffer,
+    SharedArrayBuffer,
+    Uint8Array,
+    Int8Array,
+    Uint16Array,
+    Int16Array,
+    Uint32Array,
+    Int32Array,
+    Float32Array,
+    Float64Array,
+    BigInt64Array,
+    BigUint64Array,
+  ]) {
+    test(`new ${View.name}() in VM context doesn't crash`, () => {
+      const context = createContext({});
+      expect(fn(`new ${View.name}(2)`, context)).toHaveLength(2);
+    });
+  }
+
   test("can return a function", () => {
     const context = createContext({});
     const result = fn("() => 'bar';", context);