deps: fix out-of-band write in utf8 decoder

bnoordhuis · rvagg · commit 78de5f85f2a9 · 2015-07-04T12:19:21.000+10:00
Originally reported by: Kris Reeves <kris.re@bbhmedia.com> This is a back-port of commit 030f804 from the master branch. Reviewed-By: Rod Vagg <rod@vagg.org>
diff --git a/deps/v8/src/unicode-decoder.cc b/deps/v8/src/unicode-decoder.cc
@@ -15,6 +15,7 @@ void Utf8DecoderBase::Reset(uint16_t* buffer, unsigned buffer_length,
   // Assume everything will fit in the buffer and stream won't be needed.
   last_byte_of_buffer_unused_ = false;
   unbuffered_start_ = NULL;
+  unbuffered_length_ = 0;
   bool writing_to_buffer = true;
   // Loop until stream is read, writing to buffer as long as buffer has space.
   unsigned utf16_length = 0;
@@ -41,6 +42,7 @@ void Utf8DecoderBase::Reset(uint16_t* buffer, unsigned buffer_length,
         // Just wrote last character of buffer
         writing_to_buffer = false;
         unbuffered_start_ = stream;
+        unbuffered_length_ = stream_length;
       }
       continue;
     }
@@ -50,19 +52,22 @@ void Utf8DecoderBase::Reset(uint16_t* buffer, unsigned buffer_length,
     writing_to_buffer = false;
     last_byte_of_buffer_unused_ = true;
     unbuffered_start_ = stream - cursor;
+    unbuffered_length_ = stream_length + cursor;
   }
   utf16_length_ = utf16_length;
 }
 
 
-void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream, uint16_t* data,
+void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream,
+                                     unsigned stream_length, uint16_t* data,
                                      unsigned data_length) {
   while (data_length != 0) {
     unsigned cursor = 0;
-    uint32_t character = Utf8::ValueOf(stream, Utf8::kMaxEncodedSize, &cursor);
+    uint32_t character = Utf8::ValueOf(stream, stream_length, &cursor);
     // There's a total lack of bounds checking for stream
     // as it was already done in Reset.
     stream += cursor;
+    stream_length -= cursor;
     if (character > unibrow::Utf16::kMaxNonSurrogateCharCode) {
       *data++ = Utf16::LeadSurrogate(character);
       *data++ = Utf16::TrailSurrogate(character);
@@ -73,6 +78,7 @@ void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream, uint16_t* data,
       data_length -= 1;
     }
   }
+  DCHECK(stream_length >= 0);
 }
 
 }  // namespace unibrow
diff --git a/deps/v8/src/unicode-decoder.h b/deps/v8/src/unicode-decoder.h
@@ -23,9 +23,10 @@ class Utf8DecoderBase {
   // The first buffer_length utf16 chars are cached in the buffer.
   void Reset(uint16_t* buffer, unsigned buffer_length, const uint8_t* stream,
              unsigned stream_length);
-  static void WriteUtf16Slow(const uint8_t* stream, uint16_t* data,
-                             unsigned length);
+  static void WriteUtf16Slow(const uint8_t* stream, unsigned stream_length,
+                             uint16_t* data, unsigned length);
   const uint8_t* unbuffered_start_;
+  unsigned unbuffered_length_;
   unsigned utf16_length_;
   bool last_byte_of_buffer_unused_;
 
@@ -48,6 +49,7 @@ class Utf8Decoder : public Utf8DecoderBase {
 
 Utf8DecoderBase::Utf8DecoderBase()
     : unbuffered_start_(NULL),
+      unbuffered_length_(0),
       utf16_length_(0),
       last_byte_of_buffer_unused_(false) {}
 
@@ -85,7 +87,7 @@ unsigned Utf8Decoder<kBufferSize>::WriteUtf16(uint16_t* data,
   if (length <= buffer_length) return length;
   DCHECK(unbuffered_start_ != NULL);
   // Copy the rest the slow way.
-  WriteUtf16Slow(unbuffered_start_, data + buffer_length,
+  WriteUtf16Slow(unbuffered_start_, unbuffered_length_, data + buffer_length,
                  length - buffer_length);
   return length;
 }
