test · b199bcdd47ae97ec116b430e34ab42001c8f04c0 · Linshizhi / V8

unicode-decoder: fix out-of-band write in utf16 · b199bcdd

fedor authored Jul 06, 2015

`WriteUtf16Slow` should not assume that the output buffer has enough
bytes to hold both words of surrogate pair. It should pass the number of
remaining bytes to the `Utf8::ValueOf` instead, just as we already do in
`Utf8DecoderBase::Reset`. Otherwise it will attempt to write the trail
uint16_t past the buffer boundary, leading to memory corruption and
possible crash.

Originally reported by: Kris Reeves <kris.re@bbhmedia.com>

BUG=v8:4274
R=danno
R=svenpanne
LOG=y

Review URL: https://codereview.chromium.org/1226493003

Cr-Commit-Position: refs/heads/master@{#29485}

b199bcdd

Name	Last commit	Last update
..
benchmarks		Loading commit data...
cctest		Loading commit data...
intl		Loading commit data...
js-perf-test		Loading commit data...
memory		Loading commit data...
message		Loading commit data...
mjsunit		Loading commit data...
mozilla		Loading commit data...
preparser		Loading commit data...
promises-aplus		Loading commit data...
simdjs		Loading commit data...
test262		Loading commit data...
test262-es6		Loading commit data...
unittests		Loading commit data...
webkit		Loading commit data...