1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
Index: kjs/function.cpp
===================================================================
--- kjs/function.cpp (revision 495921)
+++ kjs/function.cpp (working copy)
@@ -77,7 +77,8 @@ UString encodeURI(ExecState *exec, UStri
}
else if (C.uc >= 0xD800 && C.uc <= 0xDBFF) {
- if (k == string.size()) {
+ // we need two chars
+ if (k + 1 >= string.size()) {
Object err = Error::create(exec,URIError);
exec->setException(err);
free(encbuf);
@@ -197,6 +198,10 @@ UString decodeURI(ExecState *exec, UStri
}
k += 2;
+
+ if (decbufLen+2 >= decbufAlloc)
+ decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
+
if ((B & 0x80) == 0) {
// Single-byte character
C = B;
@@ -257,6 +262,12 @@ UString decodeURI(ExecState *exec, UStri
assert(n == 4);
unsigned long uuuuu = ((octets[0] & 0x07) << 2) | ((octets[1] >> 4) & 0x03);
unsigned long vvvv = uuuuu-1;
+ if (vvvv > 0x0F) {
+ Object err = Error::create(exec,URIError);
+ exec->setException(err);
+ free(decbuf);
+ return UString();
+ }
unsigned long wwww = octets[1] & 0x0F;
unsigned long xx = (octets[2] >> 4) & 0x03;
unsigned long yyyy = octets[2] & 0x0F;
@@ -270,9 +281,7 @@ UString decodeURI(ExecState *exec, UStri
}
if (reservedSet.find(C) < 0) {
- if (decbufLen+1 >= decbufAlloc)
- decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
- decbuf[decbufLen++] = C;
+ decbuf[decbufLen++] = C;
}
else {
while (decbufLen+k-start >= decbufAlloc)
|
