src/js/uri.js - Issue 1889133003: Security: type confusion lead to information leak in decodeURI

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/js/uri.js

Issue 1889133003: Security: type confusion lead to information leak in decodeURI (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/js/uri.js

diff --git a/src/js/uri.js b/src/js/uri.js

index 712d7e60f37f1254edd9b06e89d51f18e765de41..dca83c9b2325c649412206dd1611b90db72d5219 100644

--- a/src/js/uri.js

+++ b/src/js/uri.js

@@ -15,7 +15,6 @@

// Imports

var GlobalObject = global.Object;

-var GlobalArray = global.Array;

var InternalArray = utils.InternalArray;

var MakeURIError;

@@ -76,7 +75,7 @@ function URIEncodeSingle(cc, result, index) {

var x = (cc >> 12) & 0xF;

var y = (cc >> 6) & 63;

var z = cc & 63;

- var octets = new GlobalArray(3);

+ var octets = new InternalArray(3);

if (cc <= 0x007F) {

octets[0] = cc;

} else if (cc <= 0x07FF) {

@@ -96,7 +95,7 @@ function URIEncodePair(cc1 , cc2, result, index) {

var x = cc1 & 3;

var y = (cc2 >> 6) & 0xF;

var z = cc2 & 63;

- var octets = new GlobalArray(4);

+ var octets = new InternalArray(4);

octets[0] = (u >> 2) + 240;

octets[1] = (((u & 3) << 4) | w) + 128;

octets[2] = ((x << 4) | y) + 128;

@@ -248,7 +247,7 @@ function Decode(uri, reserved) {

var n = 0;

while (((cc << ++n) & 0x80) != 0) { }

if (n == 1 || n > 4) throw MakeURIError();

- var octets = new GlobalArray(n);

+ var octets = new InternalArray(n);

octets[0] = cc;

if (k + 3 * (n - 1) >= uriLength) throw MakeURIError();

for (var i = 1; i < n; i++) {

« no previous file with comments | « no previous file | test/mjsunit/regress/regress-602970.js » ('j') | no next file with comments »