From f69063590b4d00addc344ff7e5dbfd91cd95b02e Mon Sep 17 00:00:00 2001 From: rootvector2 Date: Sun, 14 Jun 2026 01:12:45 +0530 Subject: [PATCH] bound recovery scan to input end in xs_textdecoder_decode --- modules/data/text/decoder/textdecoder.c | 4 ++-- tests/modules/data/text/decoder/decodestream.js | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/modules/data/text/decoder/textdecoder.c b/modules/data/text/decoder/textdecoder.c index 56f2fbd284..2c7f6c912a 100644 --- a/modules/data/text/decoder/textdecoder.c +++ b/modules/data/text/decoder/textdecoder.c @@ -187,7 +187,7 @@ void xs_textdecoder_decode(xsMachine *the) else if (first > 0xF4) // no valid next byte clen = 0; - while (clen-- > 0) { + while ((clen-- > 0) && (src < srcEnd)) { uint8_t c = c_read8(src); if ((lower <= c) && (c <= upper)) src++; @@ -321,7 +321,7 @@ void xs_textdecoder_decode(xsMachine *the) else if (first > 0xF4) // no valid next byte clen = 0; - while (clen-- > 0) { + while ((clen-- > 0) && (src < srcEnd)) { uint8_t c = c_read8(src); if ((lower <= c) && (c <= upper)) src++; diff --git a/tests/modules/data/text/decoder/decodestream.js b/tests/modules/data/text/decoder/decodestream.js index 9f707e07c0..4d344e76e7 100644 --- a/tests/modules/data/text/decoder/decodestream.js +++ b/tests/modules/data/text/decoder/decodestream.js @@ -46,3 +46,10 @@ assert.sameValue("\uFFFD", decoder.decode()); assert.sameValue("", decoder.decode(Uint8Array.of(0xF0, 0x9F, 0x92), {stream: true})); assert.sameValue("\uFFFD", decoder.decode()); + +// illegal sequence spanning a buffered partial lead and a short final chunk: +// the recovery scan must stop at the end of the input, not past it. The chunk is a +// view whose backing store holds continuation bytes (0x90) past its length. +assert.sameValue("", decoder.decode(Uint8Array.of(0xF0, 0x80), {stream: true})); +assert.sameValue("\uFFFD\uFFFD", decoder.decode(new Uint8Array(8).fill(0x90).subarray(0, 2), {stream: true})); +assert.sameValue("", decoder.decode());