deps: fix out-of-band write in utf8 decoder

indutny · Julien Gilli · commit 78b0e3095411 · 2015-07-03T17:32:01.000-07:00
Originally reported by: Kris Reeves &lt;kris.re@bbhmedia.com&gt;

Reviewed-By: Trevor Norris &lt;trev.norris@gmail.com&gt;
diff --git a/deps/v8/src/unicode-inl.h b/deps/v8/src/unicode-inl.h
@@ -155,6 +155,7 @@ unsigned Utf8::Length(uchar c, int previous) {
 
 Utf8DecoderBase::Utf8DecoderBase()
   : unbuffered_start_(NULL),
+    unbuffered_length_(0),
     utf16_length_(0),
     last_byte_of_buffer_unused_(false) {}
 
@@ -194,8 +195,7 @@ unsigned Utf8Decoder<kBufferSize>::WriteUtf16(uint16_t* data,
   if (length <= buffer_length) return length;
   DCHECK(unbuffered_start_ != NULL);
   // Copy the rest the slow way.
-  WriteUtf16Slow(unbuffered_start_,
-                 data + buffer_length,
+  WriteUtf16Slow(unbuffered_start_, unbuffered_length_, data + buffer_length,
                  length - buffer_length);
   return length;
 }
diff --git a/deps/v8/src/unicode.cc b/deps/v8/src/unicode.cc
@@ -265,6 +265,7 @@ void Utf8DecoderBase::Reset(uint16_t* buffer,
   // Assume everything will fit in the buffer and stream won't be needed.
   last_byte_of_buffer_unused_ = false;
   unbuffered_start_ = NULL;
+  unbuffered_length_ = 0;
   bool writing_to_buffer = true;
   // Loop until stream is read, writing to buffer as long as buffer has space.
   unsigned utf16_length = 0;
@@ -291,6 +292,7 @@ void Utf8DecoderBase::Reset(uint16_t* buffer,
         // Just wrote last character of buffer
         writing_to_buffer = false;
         unbuffered_start_ = stream;
+        unbuffered_length_ = stream_length;
       }
       continue;
     }
@@ -300,20 +302,24 @@ void Utf8DecoderBase::Reset(uint16_t* buffer,
     writing_to_buffer = false;
     last_byte_of_buffer_unused_ = true;
     unbuffered_start_ = stream - cursor;
+    unbuffered_length_ = stream_length + cursor;
   }
   utf16_length_ = utf16_length;
 }
 
 
 void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream,
+                                     unsigned stream_length,
                                      uint16_t* data,
                                      unsigned data_length) {
   while (data_length != 0) {
     unsigned cursor = 0;
-    uint32_t character = Utf8::ValueOf(stream, Utf8::kMaxEncodedSize, &cursor);
+
+    uint32_t character = Utf8::ValueOf(stream, stream_length, &cursor);
     // There's a total lack of bounds checking for stream
     // as it was already done in Reset.
     stream += cursor;
+    stream_length -= cursor;
     if (character > unibrow::Utf16::kMaxNonSurrogateCharCode) {
       *data++ = Utf16::LeadSurrogate(character);
       *data++ = Utf16::TrailSurrogate(character);
@@ -324,6 +330,7 @@ void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream,
       data_length -= 1;
     }
   }
+  DCHECK(stream_length >= 0);
 }
 
 
diff --git a/deps/v8/src/unicode.h b/deps/v8/src/unicode.h
@@ -172,10 +172,10 @@ class Utf8DecoderBase {
              unsigned buffer_length,
              const uint8_t* stream,
              unsigned stream_length);
-  static void WriteUtf16Slow(const uint8_t* stream,
-                             uint16_t* data,
-                             unsigned length);
+  static void WriteUtf16Slow(const uint8_t* stream, unsigned stream_length,
+                             uint16_t* data, unsigned length);
   const uint8_t* unbuffered_start_;
+  unsigned unbuffered_length_;
   unsigned utf16_length_;
   bool last_byte_of_buffer_unused_;
  private:
