From 4750f0c3cd661128c4ecf22e8ea6cc06efec137d Mon Sep 17 00:00:00 2001 From: "lrn@chromium.org" Date: Tue, 4 Oct 2011 07:15:07 +0000 Subject: [PATCH] Fix issue 1415 - allow surrogate pair codes in decodeURIComponent. Also some cleanup of uri.js. BUG=v8:1415 TEST=mjsunit/regress/regress-1415 Review URL: http://codereview.chromium.org/8118004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9509 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/uri.js | 37 +++++++++++++++++++++---------- test/mjsunit/regress/regress-1415.js | 42 ++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 11 deletions(-) create mode 100644 test/mjsunit/regress/regress-1415.js diff --git a/src/uri.js b/src/uri.js index c910d75..1656664 100644 --- a/src/uri.js +++ b/src/uri.js @@ -111,47 +111,59 @@ function URIDecodeOctets(octets, result, index) { var o1 = octets[1]; if (o0 < 0xe0) { var a = o0 & 0x1f; - if ((o1 < 0x80) || (o1 > 0xbf)) + if ((o1 < 0x80) || (o1 > 0xbf)) { throw new $URIError("URI malformed"); + } var b = o1 & 0x3f; value = (a << 6) + b; - if (value < 0x80 || value > 0x7ff) + if (value < 0x80 || value > 0x7ff) { throw new $URIError("URI malformed"); + } } else { var o2 = octets[2]; if (o0 < 0xf0) { var a = o0 & 0x0f; - if ((o1 < 0x80) || (o1 > 0xbf)) + if ((o1 < 0x80) || (o1 > 0xbf)) { throw new $URIError("URI malformed"); + } var b = o1 & 0x3f; - if ((o2 < 0x80) || (o2 > 0xbf)) + if ((o2 < 0x80) || (o2 > 0xbf)) { throw new $URIError("URI malformed"); + } var c = o2 & 0x3f; value = (a << 12) + (b << 6) + c; - if ((value < 0x800) || (value > 0xffff)) + if ((value < 0x800) || (value > 0xffff)) { throw new $URIError("URI malformed"); + } } else { var o3 = octets[3]; if (o0 < 0xf8) { var a = (o0 & 0x07); - if ((o1 < 0x80) || (o1 > 0xbf)) + if ((o1 < 0x80) || (o1 > 0xbf)) { throw new $URIError("URI malformed"); + } var b = (o1 & 0x3f); - if ((o2 < 0x80) || (o2 > 0xbf)) + if ((o2 < 0x80) || (o2 > 0xbf)) { throw new $URIError("URI malformed"); + } var c = (o2 & 0x3f); - if ((o3 < 0x80) || (o3 > 0xbf)) + if ((o3 < 0x80) || (o3 > 0xbf)) { throw new $URIError("URI malformed"); + } var d = (o3 & 0x3f); value = (a << 18) + (b << 12) + (c << 6) + d; - if ((value < 0x10000) || (value > 0x10ffff)) + if ((value < 0x10000) || (value > 0x10ffff)) { throw new $URIError("URI malformed"); + } } else { throw new $URIError("URI malformed"); } } } } + if (0xD800 <= value && value <= 0xDFFF) { + throw new $URIError("URI malformed"); + } if (value < 0x10000) { result[index++] = value; return index; @@ -214,7 +226,8 @@ function Decode(uri, reserved) { if (k + 3 * (n - 1) >= uriLength) throw new $URIError("URI malformed"); for (var i = 1; i < n; i++) { if (uri.charAt(++k) != '%') throw new $URIError("URI malformed"); - octets[i] = URIHexCharsToCharCode(uri.charCodeAt(++k), uri.charCodeAt(++k)); + octets[i] = URIHexCharsToCharCode(uri.charCodeAt(++k), + uri.charCodeAt(++k)); } index = URIDecodeOctets(octets, result, index); } else { @@ -366,7 +379,9 @@ function CharCodeToHex4Str(cc) { function IsValidHex(s) { for (var i = 0; i < s.length; ++i) { var cc = s.charCodeAt(i); - if ((48 <= cc && cc <= 57) || (65 <= cc && cc <= 70) || (97 <= cc && cc <= 102)) { + if ((48 <= cc && cc <= 57) || + (65 <= cc && cc <= 70) || + (97 <= cc && cc <= 102)) { // '0'..'9', 'A'..'F' and 'a' .. 'f'. } else { return false; diff --git a/test/mjsunit/regress/regress-1415.js b/test/mjsunit/regress/regress-1415.js new file mode 100644 index 0000000..f993e9b --- /dev/null +++ b/test/mjsunit/regress/regress-1415.js @@ -0,0 +1,42 @@ +// Copyright 2011 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Surrogate pair range. +// U+D800 +assertThrows(function(){ decodeURIComponent("%ED%A0%80"); }, URIError); +// U+DBFF +assertThrows(function(){ decodeURIComponent("%ED%AF%BF"); }, URIError); +// U+DC00 +assertThrows(function(){ decodeURIComponent("%ED%B0%80"); }, URIError); +// U+DFFF +assertThrows(function(){ decodeURIComponent("%ED%BF%BF"); }, URIError); + +// Overlong encodings +// U+007F in two bytes. +assertThrows(function(){ decodeURIComponent("%C1%BF"); }, URIError); +// U+07FF in three bytes. +assertThrows(function(){ decodeURIComponent("%E0%9F%BF"); }, URIError); -- 2.7.4