Title: [245645] trunk
- Revision
- 245645
- Author
- [email protected]
- Date
- 2019-05-22 14:01:40 -0700 (Wed, 22 May 2019)
Log Message
Stack-buffer-overflow in decodeURIComponent
https://bugs.webkit.org/show_bug.cgi?id=198109
<rdar://problem/50397550>
Reviewed by Michael Saboff.
JSTests:
* stress/decode-uri-icu-count-trail-bytes.js: Added.
(i.j.try.i.toString):
(i.j.catch):
Source/_javascript_Core:
Since r244828 we started using U8_MAX_LENGTH to determine the size of the buffer and
U8_COUNT_TRAIL_BYTES when decoding UTF-8 sequences in JSC::decode. However, U8_MAX_LENGTH
is defined as 4 and in pre-60 ICU U8_COUNT_TRAIL_BYTES returns 0..5.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::decode):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (245644 => 245645)
--- trunk/JSTests/ChangeLog 2019-05-22 20:58:32 UTC (rev 245644)
+++ trunk/JSTests/ChangeLog 2019-05-22 21:01:40 UTC (rev 245645)
@@ -1,3 +1,15 @@
+2019-05-22 Tadeu Zagallo <[email protected]>
+
+ Stack-buffer-overflow in decodeURIComponent
+ https://bugs.webkit.org/show_bug.cgi?id=198109
+ <rdar://problem/50397550>
+
+ Reviewed by Michael Saboff.
+
+ * stress/decode-uri-icu-count-trail-bytes.js: Added.
+ (i.j.try.i.toString):
+ (i.j.catch):
+
2019-05-22 Yusuke Suzuki <[email protected]>
Don't clear PropertyNameArray in Proxy code
Added: trunk/JSTests/stress/decode-uri-icu-count-trail-bytes.js (0 => 245645)
--- trunk/JSTests/stress/decode-uri-icu-count-trail-bytes.js (rev 0)
+++ trunk/JSTests/stress/decode-uri-icu-count-trail-bytes.js 2019-05-22 21:01:40 UTC (rev 245645)
@@ -0,0 +1,10 @@
+const rest = new Array(14).fill("%00").join('');
+const uri = `%fd%f0%f0%f0%ff%ff%ff${rest}`;
+for (let i = 0; i < 256; i++) {
+ for (let j = 0; j < 256; j++) {
+ try {
+ decodeURIComponent(`${uri}%${i.toString(16)}%${j.toString(16)}%ff%ff%ff%ff%ff`);
+ } catch (err) {
+ }
+ }
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (245644 => 245645)
--- trunk/Source/_javascript_Core/ChangeLog 2019-05-22 20:58:32 UTC (rev 245644)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-05-22 21:01:40 UTC (rev 245645)
@@ -1,3 +1,18 @@
+2019-05-22 Tadeu Zagallo <[email protected]>
+
+ Stack-buffer-overflow in decodeURIComponent
+ https://bugs.webkit.org/show_bug.cgi?id=198109
+ <rdar://problem/50397550>
+
+ Reviewed by Michael Saboff.
+
+ Since r244828 we started using U8_MAX_LENGTH to determine the size of the buffer and
+ U8_COUNT_TRAIL_BYTES when decoding UTF-8 sequences in JSC::decode. However, U8_MAX_LENGTH
+ is defined as 4 and in pre-60 ICU U8_COUNT_TRAIL_BYTES returns 0..5.
+
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::decode):
+
2019-05-22 Yusuke Suzuki <[email protected]>
Don't clear PropertyNameArray in Proxy code
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp (245644 => 245645)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2019-05-22 20:58:32 UTC (rev 245644)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2019-05-22 21:01:40 UTC (rev 245645)
@@ -184,7 +184,12 @@
const int sequenceLen = 1 + U8_COUNT_TRAIL_BYTES(b0);
if (k <= length - sequenceLen * 3) {
charLen = sequenceLen * 3;
+#if U_ICU_VERSION_MAJOR_NUM >= 60
uint8_t sequence[U8_MAX_LENGTH];
+#else
+ // In pre-60 ICU, U8_COUNT_TRAIL_BYTES returns 0..5
+ uint8_t sequence[6];
+#endif
sequence[0] = b0;
for (int i = 1; i < sequenceLen; ++i) {
const CharType* q = p + i * 3;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
