← Back to branch summary

~ubuntu-branches/ubuntu/karmic/seamonkey/karmic

« back to all changes in this revision

Viewing changes to xpcom/string/public/nsUTF8Utils.h

  • Committer: Bazaar Package Importer
  • Author(s): Fabien Tassin
  • Date: 2008-09-30 00:41:24 UTC
  • mfrom: (1.1.5 upstream)
  • Revision ID: james.westby@ubuntu.com-20080930004124-nkkda6z7mf4fxagi
Tags: 1.1.12+nobinonly-0ubuntu1
https://launchpad.net/bugs/276437
* New security upstream release: 1.1.12 (LP: #276437)
  - CVE-2008-4070: Heap overflow when canceling newsgroup message
  - CVE-2008-4069: XBM image uninitialized memory reading
  - CVE-2008-4067..4068: resource: traversal vulnerabilities
  - CVE-2008-4065..4066: BOM characters stripped from JavaScript before execution
  - CVE-2008-4061..4064: Crashes with evidence of memory corruption
  - CVE-2008-4058..4060: Privilege escalation via XPCnativeWrapper pollution
  - CVE-2008-3837: Forced mouse drag
  - CVE-2008-3835: nsXMLDocument::OnChannelRedirect() same-origin violation
  - CVE-2008-0016: UTF-8 URL stack buffer overflow

Show diffs side-by-side

added added

removed removed

Lines of Context:
xpcom/string/public/nsUTF8Utils.h
39
39
#ifndef nsUTF8Utils_h_
40
40
#define nsUTF8Utils_h_
41
41
 
 
42
#include "nsCharTraits.h"
 
43
 
42
44
class UTF8traits
43
45
  {
44
46
    public:
51
53
      static PRBool is6byte(char c) { return (c & 0xFE) == 0xFC; }
52
54
  };
53
55
 
54
 
#define PLANE1_BASE           0x00010000  
55
 
#define UCS2_REPLACEMENT_CHAR 0xfffd     
56
 
 
57
56
#ifdef __GNUC__
58
57
#define NS_ALWAYS_INLINE __attribute__((always_inline))
59
58
#else
139
138
 
140
139
            while ( state-- )
141
140
              {
 
141
                if (p == end)
 
142
                  {
 
143
                    NS_ERROR("Buffer ended in the middle of a multibyte sequence");
 
144
                    mErrorEncountered = PR_TRUE;
 
145
                    mBuffer = out;
 
146
                    return N;
 
147
                  }
 
148
 
142
149
                c = *p++;
143
150
 
144
151
                if ( UTF8traits::isInSeq(c) )
176
183
              }
177
184
            else if ( ucs4 >= PLANE1_BASE )
178
185
              {
179
 
                if ( ucs4 >= 0x00110000 )
 
186
                if ( ucs4 >= UCS_END )
180
187
                  *out++ = UCS2_REPLACEMENT_CHAR;
181
188
                else {
182
 
                  // surrogate, see unicode specification 3.7 for following math.
183
 
                  ucs4 -= PLANE1_BASE;
184
 
                  *out++ = (PRUnichar)(ucs4 >> 10) | 0xd800u;
185
 
                  *out++ = (PRUnichar)(ucs4 & 0x3ff) | 0xdc00u;
 
189
                  *out++ = (buffer_type)H_SURROGATE(ucs4);
 
190
                  *out++ = (buffer_type)L_SURROGATE(ucs4);
186
191
                }
187
192
              }
188
193
            else
308
313
                *out++ = 0xC0 | (char)(c >> 6);
309
314
                *out++ = 0x80 | (char)(0x003F & c);
310
315
              }
311
 
            else if (0xD800 != (0xF800 & c)) // U+0800 - U+D7FF,U+E000 - U+FFFF
 
316
            else if (!IS_SURROGATE(c)) // U+0800 - U+D7FF,U+E000 - U+FFFF
312
317
              {
313
318
                *out++ = 0xE0 | (char)(c >> 12);
314
319
                *out++ = 0x80 | (char)(0x003F & (c >> 6));
315
320
                *out++ = 0x80 | (char)(0x003F & c );
316
321
              }
317
 
            else if (0xD800 == (0xFC00 & c)) // U+D800 - U+DBFF
 
322
            else if (IS_HIGH_SURROGATE(c)) // U+D800 - U+DBFF
318
323
              {
319
324
                // D800- DBFF - High Surrogate
320
 
                // N = (H- D800) *400 + 10000 + ...
321
 
                PRUint32 ucs4 = 0x10000 + ((0x03FF & c) << 10);
 
325
                value_type h = c;
322
326
 
323
327
                ++p;
324
328
                if (p == end)
329
333
                  }
330
334
                c = *p;
331
335
 
332
 
                if (0xDC00 == (0xFC00 & c))
 
336
                if (IS_LOW_SURROGATE(c))
333
337
                  {
334
338
                    // DC00- DFFF - Low Surrogate
335
 
                    // N += ( L - DC00 )
336
 
                    ucs4 |= (0x03FF & c);
 
339
                    // N = (H - D800) *400 + 10000 + ( L - DC00 )
 
340
                    PRUint32 ucs4 = SURROGATE_TO_UCS4(h, c);
337
341
 
338
342
                    // 0001 0000-001F FFFF
339
343
                    *out++ = 0xF0 | (char)(ucs4 >> 18);