diff options
author | Ben Noordhuis <info@bnoordhuis.nl> | 2015-07-04 04:37:18 +0300 |
---|---|---|
committer | Rod Vagg <rod@vagg.org> | 2015-07-04 05:19:21 +0300 |
commit | 78de5f85f2a929c0282924b2afce915b9bded654 (patch) | |
tree | e0bea55078de4871d3990500ded7930956078c7a | |
parent | d8f260d33b1d2992dff557ef12384932cf890198 (diff) |
deps: fix out-of-band write in utf8 decoder
Originally reported by: Kris Reeves <kris.re@bbhmedia.com>
This is a back-port of commit 030f804 from the master branch.
Reviewed-By: Rod Vagg <rod@vagg.org>
-rw-r--r-- | deps/v8/src/unicode-decoder.cc | 10 | ||||
-rw-r--r-- | deps/v8/src/unicode-decoder.h | 8 |
2 files changed, 13 insertions, 5 deletions
diff --git a/deps/v8/src/unicode-decoder.cc b/deps/v8/src/unicode-decoder.cc index 88eff3ad266..feda3ce4e0c 100644 --- a/deps/v8/src/unicode-decoder.cc +++ b/deps/v8/src/unicode-decoder.cc @@ -15,6 +15,7 @@ void Utf8DecoderBase::Reset(uint16_t* buffer, unsigned buffer_length, // Assume everything will fit in the buffer and stream won't be needed. last_byte_of_buffer_unused_ = false; unbuffered_start_ = NULL; + unbuffered_length_ = 0; bool writing_to_buffer = true; // Loop until stream is read, writing to buffer as long as buffer has space. unsigned utf16_length = 0; @@ -41,6 +42,7 @@ void Utf8DecoderBase::Reset(uint16_t* buffer, unsigned buffer_length, // Just wrote last character of buffer writing_to_buffer = false; unbuffered_start_ = stream; + unbuffered_length_ = stream_length; } continue; } @@ -50,19 +52,22 @@ void Utf8DecoderBase::Reset(uint16_t* buffer, unsigned buffer_length, writing_to_buffer = false; last_byte_of_buffer_unused_ = true; unbuffered_start_ = stream - cursor; + unbuffered_length_ = stream_length + cursor; } utf16_length_ = utf16_length; } -void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream, uint16_t* data, +void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream, + unsigned stream_length, uint16_t* data, unsigned data_length) { while (data_length != 0) { unsigned cursor = 0; - uint32_t character = Utf8::ValueOf(stream, Utf8::kMaxEncodedSize, &cursor); + uint32_t character = Utf8::ValueOf(stream, stream_length, &cursor); // There's a total lack of bounds checking for stream // as it was already done in Reset. stream += cursor; + stream_length -= cursor; if (character > unibrow::Utf16::kMaxNonSurrogateCharCode) { *data++ = Utf16::LeadSurrogate(character); *data++ = Utf16::TrailSurrogate(character); @@ -73,6 +78,7 @@ void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream, uint16_t* data, data_length -= 1; } } + DCHECK(stream_length >= 0); } } // namespace unibrow diff --git a/deps/v8/src/unicode-decoder.h b/deps/v8/src/unicode-decoder.h index 35ea30cf1a5..c18635d513b 100644 --- a/deps/v8/src/unicode-decoder.h +++ b/deps/v8/src/unicode-decoder.h @@ -23,9 +23,10 @@ class Utf8DecoderBase { // The first buffer_length utf16 chars are cached in the buffer. void Reset(uint16_t* buffer, unsigned buffer_length, const uint8_t* stream, unsigned stream_length); - static void WriteUtf16Slow(const uint8_t* stream, uint16_t* data, - unsigned length); + static void WriteUtf16Slow(const uint8_t* stream, unsigned stream_length, + uint16_t* data, unsigned length); const uint8_t* unbuffered_start_; + unsigned unbuffered_length_; unsigned utf16_length_; bool last_byte_of_buffer_unused_; @@ -48,6 +49,7 @@ class Utf8Decoder : public Utf8DecoderBase { Utf8DecoderBase::Utf8DecoderBase() : unbuffered_start_(NULL), + unbuffered_length_(0), utf16_length_(0), last_byte_of_buffer_unused_(false) {} @@ -85,7 +87,7 @@ unsigned Utf8Decoder<kBufferSize>::WriteUtf16(uint16_t* data, if (length <= buffer_length) return length; DCHECK(unbuffered_start_ != NULL); // Copy the rest the slow way. - WriteUtf16Slow(unbuffered_start_, data + buffer_length, + WriteUtf16Slow(unbuffered_start_, unbuffered_length_, data + buffer_length, length - buffer_length); return length; } |