fix: Allocation failure checks (#1457)

TartanLlama · zkat · web-flow · commit c882105b1daf · 2026-05-08T13:19:08.000-07:00
Co-authored-by: Kat Marchán &lt;kzm@zkat.tech&gt;
diff --git a/runtime/fastly/builtins/edge-rate-limiter.cpp b/runtime/fastly/builtins/edge-rate-limiter.cpp
@@ -303,6 +303,9 @@ bool RateCounter::constructor(JSContext *cx, unsigned argc, JS::Value *vp) {
     return false;
   }
   JS::RootedString name_str(cx, JS_NewStringCopyN(cx, name.begin(), name.len));
+  if (!name_str) {
+    return false;
+  }
   JS::SetReservedSlot(instance, static_cast<uint32_t>(Slots::Name), JS::StringValue(name_str));
   args.rval().setObject(*instance);
   return true;
diff --git a/runtime/fastly/builtins/fastly.cpp b/runtime/fastly/builtins/fastly.cpp
@@ -1019,6 +1019,9 @@ JS::Result<std::tuple<JS::UniqueChars, size_t>> convertBodyInit(JSContext *cx,
   if (bodyObj && JS_IsArrayBufferViewObject(bodyObj)) {
     length = JS_GetArrayBufferViewByteLength(bodyObj);
     buf.reset(reinterpret_cast<char *>(JS_malloc(cx, length)));
+    if (!buf) {
+      return JS::Result<std::tuple<JS::UniqueChars, size_t>>(JS::Error());
+    }
     // `maybeNoGC` needs to be populated for the lifetime of `buf` because
     // short typed arrays have inline data which can move on GC, so assert
     // that no GC happens. (Which it doesn't, because we're not allocating
@@ -1040,6 +1043,9 @@ JS::Result<std::tuple<JS::UniqueChars, size_t>> convertBodyInit(JSContext *cx,
   } else if (bodyObj && URLSearchParams::is_instance(bodyObj)) {
     jsurl::SpecSlice slice = URLSearchParams::serialize(cx, bodyObj);
     buf.reset(reinterpret_cast<char *>(JS_malloc(cx, slice.len)));
+    if (!buf) {
+      return JS::Result<std::tuple<JS::UniqueChars, size_t>>(JS::Error());
+    }
     std::memcpy(buf.get(), slice.data, slice.len);
     length = slice.len;
     return JS::Result<std::tuple<JS::UniqueChars, size_t>>(std::make_tuple(std::move(buf), length));
