a332763fb7
This fix has been backported instead of upgrading to a newer release as the upstream release process is a complicated fast-moving target and the current ports are using custom snapshots created by the port maintainer. This will also limit the amount of potential fallout as we know the existing v8 port works well enough to keep mongodb up to date. PR: 201450 MFH: 2015Q3 Security: CVE-2015-5380 Security: 864e6f75-2372-11e5-86ff-14dae9d210b8
95 lines
3.4 KiB
Text
95 lines
3.4 KiB
Text
Backport of fix found here:
|
|
https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6fdf6
|
|
|
|
Note, this patch is modified to use ASSERT instead of DCHECK because
|
|
this version of node is from before the rename which happened here:
|
|
https://codereview.chromium.org/430503007
|
|
|
|
--- src/unicode-inl.h.orig 2013-05-01 12:56:29 UTC
|
|
+++ src/unicode-inl.h
|
|
@@ -168,6 +168,7 @@ unsigned Utf8::Length(uchar c, int previ
|
|
|
|
Utf8DecoderBase::Utf8DecoderBase()
|
|
: unbuffered_start_(NULL),
|
|
+ unbuffered_length_(0),
|
|
utf16_length_(0),
|
|
last_byte_of_buffer_unused_(false) {}
|
|
|
|
@@ -207,8 +208,7 @@ unsigned Utf8Decoder<kBufferSize>::Write
|
|
if (length <= buffer_length) return length;
|
|
ASSERT(unbuffered_start_ != NULL);
|
|
// Copy the rest the slow way.
|
|
- WriteUtf16Slow(unbuffered_start_,
|
|
- data + buffer_length,
|
|
+ WriteUtf16Slow(unbuffered_start_, unbuffered_length_, data + buffer_length,
|
|
length - buffer_length);
|
|
return length;
|
|
}
|
|
--- src/unicode.cc.orig 2013-05-01 12:56:29 UTC
|
|
+++ src/unicode.cc
|
|
@@ -284,6 +284,7 @@ void Utf8DecoderBase::Reset(uint16_t* bu
|
|
// Assume everything will fit in the buffer and stream won't be needed.
|
|
last_byte_of_buffer_unused_ = false;
|
|
unbuffered_start_ = NULL;
|
|
+ unbuffered_length_ = 0;
|
|
bool writing_to_buffer = true;
|
|
// Loop until stream is read, writing to buffer as long as buffer has space.
|
|
unsigned utf16_length = 0;
|
|
@@ -310,6 +311,7 @@ void Utf8DecoderBase::Reset(uint16_t* bu
|
|
// Just wrote last character of buffer
|
|
writing_to_buffer = false;
|
|
unbuffered_start_ = stream;
|
|
+ unbuffered_length_ = stream_length;
|
|
}
|
|
continue;
|
|
}
|
|
@@ -319,20 +321,24 @@ void Utf8DecoderBase::Reset(uint16_t* bu
|
|
writing_to_buffer = false;
|
|
last_byte_of_buffer_unused_ = true;
|
|
unbuffered_start_ = stream - cursor;
|
|
+ unbuffered_length_ = stream_length + cursor;
|
|
}
|
|
utf16_length_ = utf16_length;
|
|
}
|
|
|
|
|
|
void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream,
|
|
+ unsigned stream_length,
|
|
uint16_t* data,
|
|
unsigned data_length) {
|
|
while (data_length != 0) {
|
|
unsigned cursor = 0;
|
|
- uint32_t character = Utf8::ValueOf(stream, Utf8::kMaxEncodedSize, &cursor);
|
|
+
|
|
+ uint32_t character = Utf8::ValueOf(stream, stream_length, &cursor);
|
|
// There's a total lack of bounds checking for stream
|
|
// as it was already done in Reset.
|
|
stream += cursor;
|
|
+ stream_length -= cursor;
|
|
if (character > unibrow::Utf16::kMaxNonSurrogateCharCode) {
|
|
*data++ = Utf16::LeadSurrogate(character);
|
|
*data++ = Utf16::TrailSurrogate(character);
|
|
@@ -343,6 +349,7 @@ void Utf8DecoderBase::WriteUtf16Slow(con
|
|
data_length -= 1;
|
|
}
|
|
}
|
|
+ ASSERT(stream_length >= 0);
|
|
}
|
|
|
|
|
|
--- src/unicode.h.orig 2013-05-01 12:56:29 UTC
|
|
+++ src/unicode.h
|
|
@@ -184,10 +184,10 @@ class Utf8DecoderBase {
|
|
unsigned buffer_length,
|
|
const uint8_t* stream,
|
|
unsigned stream_length);
|
|
- static void WriteUtf16Slow(const uint8_t* stream,
|
|
- uint16_t* data,
|
|
- unsigned length);
|
|
+ static void WriteUtf16Slow(const uint8_t* stream, unsigned stream_length,
|
|
+ uint16_t* data, unsigned length);
|
|
const uint8_t* unbuffered_start_;
|
|
+ unsigned unbuffered_length_;
|
|
unsigned utf16_length_;
|
|
bool last_byte_of_buffer_unused_;
|
|
private:
|