|
|
Index: kjs/function.cpp
===================================================================
--- kjs/function.cpp (revision 495921)
+++ ./kjs/function.cpp (working copy)
@@ -77,7 +77,8 @@ UString encodeURI(ExecState *exec, UStri
} else if (C.uc >= 0xD800 && C.uc <= 0xDBFF) { - if (k == string.size()) {
+ // we need two chars
+ if (k + 1 >= string.size()) {
Object err = Error::create(exec,URIError); exec->setException(err); free(encbuf);@@ -197,6 +198,10 @@ UString decodeURI(ExecState *exec, UStri
} k += 2;+
+ if (decbufLen+2 >= decbufAlloc)
+ decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
+
if ((B & 0x80) == 0) { // Single-byte character C = B;@@ -257,6 +262,12 @@ UString decodeURI(ExecState *exec, UStri
assert(n == 4); unsigned long uuuuu = ((octets[0] & 0x07) << 2) | ((octets[1] >> 4) & 0x03); unsigned long vvvv = uuuuu-1;+ if (vvvv > 0x0F) {
+ Object err = Error::create(exec,URIError);
+ exec->setException(err);
+ free(decbuf);
+ return UString();
+ }
unsigned long wwww = octets[1] & 0x0F; unsigned long xx = (octets[2] >> 4) & 0x03; unsigned long yyyy = octets[2] & 0x0F;@@ -270,9 +281,7 @@ UString decodeURI(ExecState *exec, UStri
} if (reservedSet.find(C) < 0) {- if (decbufLen+1 >= decbufAlloc)
- decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
- decbuf[decbufLen++] = C;
+ decbuf[decbufLen++] = C;
} else { while (decbufLen+k-start >= decbufAlloc)
|
