Index: kjs/function.cpp
===================================================================
--- kjs/function.cpp (revision 496441)
+++ kjs/function.cpp (working copy)
@@ -77,7 +77,8 @@ UString encodeURI(ExecState *exec, UStri
}
else if (C.uc >= 0xD800 && C.uc <= 0xDBFF) {
- if (k == string.size()) {
+ // we need two chars
+ if (k + 1 >= string.size()) {
Object err = Error::create(exec,URIError);
exec->setException(err);
free(encbuf);
@@ -197,6 +198,10 @@ UString decodeURI(ExecState *exec, UStri
}
k += 2;
+
+ if (decbufLen+2 >= decbufAlloc)
+ decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
+
if ((B & 0x80) == 0) {
// Single-byte character
C = B;
@@ -257,6 +262,12 @@ UString decodeURI(ExecState *exec, UStri
assert(n == 4);
unsigned long uuuuu = ((octets[0] & 0x07) << 2) | ((octets[1] >> 4) & 0x03);
unsigned long vvvv = uuuuu-1;
+ if (vvvv > 0x0F) {
+ Object err = Error::create(exec,URIError);
+ exec->setException(err);
+ free(decbuf);
+ return UString();
+ }
unsigned long wwww = octets[1] & 0x0F;
unsigned long xx = (octets[2] >> 4) & 0x03;
unsigned long yyyy = octets[2] & 0x0F;
@@ -270,9 +281,7 @@ UString decodeURI(ExecState *exec, UStri
}
if (reservedSet.find(C) < 0) {
- if (decbufLen+1 >= decbufAlloc)
- decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
- decbuf[decbufLen++] = C;
+ decbuf[decbufLen++] = C;
}
else {
while (decbufLen+k-start >= decbufAlloc)
