From 78b0e30954111cfaba0edbeee85450d8cbc6fdf6 Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor.indutny@gmail.com>
Date: Fri, 3 Jul 2015 15:43:44 -0700
Subject: deps: fix out-of-band write in utf8 decoder

Originally reported by: Kris Reeves <kris.re@bbhmedia.com>

Reviewed-By: Trevor Norris <trev.norris@gmail.com>
---
 deps/v8/src/unicode-inl.h | 4 ++--
 deps/v8/src/unicode.cc    | 9 ++++++++-
 deps/v8/src/unicode.h     | 6 +++---
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/deps/v8/src/unicode-inl.h b/deps/v8/src/unicode-inl.h
index 81327d7ad..b8a7bf632 100644
--- a/deps/v8/src/unicode-inl.h
+++ b/deps/v8/src/unicode-inl.h
@@ -155,6 +155,7 @@ unsigned Utf8::Length(uchar c, int previous) {
 
 Utf8DecoderBase::Utf8DecoderBase()
   : unbuffered_start_(NULL),
+    unbuffered_length_(0),
     utf16_length_(0),
     last_byte_of_buffer_unused_(false) {}
 
@@ -194,8 +195,7 @@ unsigned Utf8Decoder<kBufferSize>::WriteUtf16(uint16_t* data,
   if (length <= buffer_length) return length;
   DCHECK(unbuffered_start_ != NULL);
   // Copy the rest the slow way.
-  WriteUtf16Slow(unbuffered_start_,
-                 data + buffer_length,
+  WriteUtf16Slow(unbuffered_start_, unbuffered_length_, data + buffer_length,
                  length - buffer_length);
   return length;
 }
diff --git a/deps/v8/src/unicode.cc b/deps/v8/src/unicode.cc
index a128a6ff0..5f668c2ac 100644
--- a/deps/v8/src/unicode.cc
+++ b/deps/v8/src/unicode.cc
@@ -265,6 +265,7 @@ void Utf8DecoderBase::Reset(uint16_t* buffer,
   // Assume everything will fit in the buffer and stream won't be needed.
   last_byte_of_buffer_unused_ = false;
   unbuffered_start_ = NULL;
+  unbuffered_length_ = 0;
   bool writing_to_buffer = true;
   // Loop until stream is read, writing to buffer as long as buffer has space.
   unsigned utf16_length = 0;
@@ -291,6 +292,7 @@ void Utf8DecoderBase::Reset(uint16_t* buffer,
         // Just wrote last character of buffer
         writing_to_buffer = false;
         unbuffered_start_ = stream;
+        unbuffered_length_ = stream_length;
       }
       continue;
     }
@@ -300,20 +302,24 @@ void Utf8DecoderBase::Reset(uint16_t* buffer,
     writing_to_buffer = false;
     last_byte_of_buffer_unused_ = true;
     unbuffered_start_ = stream - cursor;
+    unbuffered_length_ = stream_length + cursor;
   }
   utf16_length_ = utf16_length;
 }
 
 
 void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream,
+                                     unsigned stream_length,
                                      uint16_t* data,
                                      unsigned data_length) {
   while (data_length != 0) {
     unsigned cursor = 0;
-    uint32_t character = Utf8::ValueOf(stream, Utf8::kMaxEncodedSize, &cursor);
+
+    uint32_t character = Utf8::ValueOf(stream, stream_length, &cursor);
     // There's a total lack of bounds checking for stream
     // as it was already done in Reset.
     stream += cursor;
+    stream_length -= cursor;
     if (character > unibrow::Utf16::kMaxNonSurrogateCharCode) {
       *data++ = Utf16::LeadSurrogate(character);
       *data++ = Utf16::TrailSurrogate(character);
@@ -324,6 +330,7 @@ void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream,
       data_length -= 1;
     }
   }
+  DCHECK(stream_length >= 0);
 }
 
 
diff --git a/deps/v8/src/unicode.h b/deps/v8/src/unicode.h
index e2d6b96b9..07a7c8ace 100644
--- a/deps/v8/src/unicode.h
+++ b/deps/v8/src/unicode.h
@@ -172,10 +172,10 @@ class Utf8DecoderBase {
              unsigned buffer_length,
              const uint8_t* stream,
              unsigned stream_length);
-  static void WriteUtf16Slow(const uint8_t* stream,
-                             uint16_t* data,
-                             unsigned length);
+  static void WriteUtf16Slow(const uint8_t* stream, unsigned stream_length,
+                             uint16_t* data, unsigned length);
   const uint8_t* unbuffered_start_;
+  unsigned unbuffered_length_;
   unsigned utf16_length_;
   bool last_byte_of_buffer_unused_;
  private:
-- 
cgit v1.2.1


From 0be9a77bb18ec15b4fb6a1fb0762f313b7351201 Mon Sep 17 00:00:00 2001
From: Julien Gilli <julien.gilli@joyent.com>
Date: Fri, 3 Jul 2015 17:33:28 -0700
Subject: 2015.07.03, Version 0.12.6 (Stable)

* V8: fix out-of-band write in utf8 decoder
---
 ChangeLog          | 7 ++++++-
 src/node_version.h | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 27f5240f8..6cd37fef9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,9 @@
-2015.06.22, Version 0.12.5 (Stable)
+2015.07.03, Version 0.12.6 (Stable)
+
+* V8: fix out-of-band write in utf8 decoder
+
+
+2015.06.22, Version 0.12.5 (Stable), 61c6abf00898fe00eb7fcf2c23ba0b01cf12034c
 
 * openssl: upgrade to 1.0.1o (Addressing multiple CVEs)
 
diff --git a/src/node_version.h b/src/node_version.h
index c0359cec8..bd4c1eaa9 100644
--- a/src/node_version.h
+++ b/src/node_version.h
@@ -26,7 +26,7 @@
 #define NODE_MINOR_VERSION 12
 #define NODE_PATCH_VERSION 6
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_TAG
 # define NODE_TAG ""
-- 
cgit v1.2.1