Issue 1226493003: unicode-decoder: fix out-of-band write in utf16

Issue 1226493003: unicode-decoder: fix out-of-band write in utf16 (Closed)

Created:
5 years, 5 months ago by fedor.indutny

Modified:
5 years, 5 months ago

Reviewers:
jochen (gone - plz use gerrit), svenpanne, danno

Base URL:
https://chromium.googlesource.com/v8/v8.git@master

Target Ref:
refs/pending/heads/master

Project:
v8

Visibility:
Public.

More Reviews

Description

unicode-decoder: fix out-of-band write in utf16 `WriteUtf16Slow` should not assume that the output buffer has enough bytes to hold both words of surrogate pair. It should pass the number of remaining bytes to the `Utf8::ValueOf` instead, just as we already do in `Utf8DecoderBase::Reset`. Otherwise it will attempt to write the trail uint16_t past the buffer boundary, leading to memory corruption and possible crash. Originally reported by: Kris Reeves <kris.re@bbhmedia.com>; BUG=v8:4274 R=danno R=svenpanne LOG=y Committed: https://crrev.com/b199bcdd47ae97ec116b430e34ab42001c8f04c0 Cr-Commit-Position: refs/heads/master@{#29485}

Patch Set 1 #

Patch Set 2 : fix memory leak #

Patch Set 3 : better fix #

Total comments: 4

Patch Set 4 : fixes #

Created: 5 years, 5 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+64 lines, -5 lines)			Patch
M	src/unicode-decoder.h	View	1 2	3 chunks	+5 lines, -3 lines	0 comments	Download
M	src/unicode-decoder.cc	View	1 2 3	3 chunks	+8 lines, -2 lines	0 comments	Download
M	test/cctest/test-api.cc	View	1 2 3	1 chunk	+51 lines, -0 lines	0 comments	Download

Messages

Total messages: 18 (4 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

fedor.indutny

This is a security issue for node.js, io.js and maybe chromium!

5 years, 5 months ago (2015-07-02 19:42:47 UTC) #1

fedor.indutny

Aaargh, didn't see the CC field. Looks like it is out for everyone now.

5 years, 5 months ago (2015-07-02 19:45:58 UTC) #2

fedor.indutny

Just pushed out a follow up commit to fix handling of trailing 3 byte sequences. ...

5 years, 5 months ago (2015-07-03 19:16:37 UTC) #3

jochen (gone - plz use gerrit)

https://codereview.chromium.org/1226493003/diff/40001/test/cctest/test-api.cc File test/cctest/test-api.cc (right): https://codereview.chromium.org/1226493003/diff/40001/test/cctest/test-api.cc#newcode7436 test/cctest/test-api.cc:7436: v8::Handle<v8::String> str = v8::String::NewFromUtf8( please don't use deprecated APIs ...

5 years, 5 months ago (2015-07-04 08:05:18 UTC) #5

fedor.indutny

5 years, 5 months ago (2015-07-04 17:02:39 UTC) #6

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1226493003/60001

5 years, 5 months ago (2015-07-06 10:30:20 UTC) #10

Michael Hablich

On 2015/07/06 07:30:02, jochen wrote: > lgtm I unprotected CL so it can be processed ...

5 years, 5 months ago (2015-07-06 10:30:26 UTC) #11

commit-bot: I haz the power

Try jobs failed on following builders: v8_presubmit on tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_presubmit/builds/3975)

5 years, 5 months ago (2015-07-06 10:41:58 UTC) #13

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1226493003/60001

5 years, 5 months ago (2015-07-06 10:43:05 UTC) #15

commit-bot: I haz the power

Patchset 4 (id:??) landed as https://crrev.com/b199bcdd47ae97ec116b430e34ab42001c8f04c0 Cr-Commit-Position: refs/heads/master@{#29485}

5 years, 5 months ago (2015-07-06 11:00:22 UTC) #17

fedor.indutny

5 years, 5 months ago (2015-07-06 16:40:16 UTC) #18

Message was sent while issue was closed.

On 2015/07/06 11:00:22, commit-bot: I haz the power wrote:
> Patchset 4 (id:??) landed as
> https://crrev.com/b199bcdd47ae97ec116b430e34ab42001c8f04c0
> Cr-Commit-Position: refs/heads/master@{#29485}

Thank you!

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages