unicode-decoder: fix out-of-band write in utf16
authorfedor <fedor@indutny.com>
Mon, 6 Jul 2015 11:00:05 +0000 (04:00 -0700)
committerCommit bot <commit-bot@chromium.org>
Mon, 6 Jul 2015 11:00:12 +0000 (11:00 +0000)
commitb199bcdd47ae97ec116b430e34ab42001c8f04c0
tree394a77598a63530328b7347ee50797f1132fc45b
parent9599bad42004003a67de974495e8b933190ec624
unicode-decoder: fix out-of-band write in utf16

`WriteUtf16Slow` should not assume that the output buffer has enough
bytes to hold both words of surrogate pair. It should pass the number of
remaining bytes to the `Utf8::ValueOf` instead, just as we already do in
`Utf8DecoderBase::Reset`. Otherwise it will attempt to write the trail
uint16_t past the buffer boundary, leading to memory corruption and
possible crash.

Originally reported by: Kris Reeves <kris.re@bbhmedia.com>

BUG=v8:4274
R=danno
R=svenpanne
LOG=y

Review URL: https://codereview.chromium.org/1226493003

Cr-Commit-Position: refs/heads/master@{#29485}
src/unicode-decoder.cc
src/unicode-decoder.h
test/cctest/test-api.cc