Bug 660612 - Utf8ToOneUcs4Char passes invalid UTF-8 octets '%ED%A0%80', so decodeURIComponent('%ED%A0%80') doesn't throw. r=jwalden

js/src/jsstr.cpp

@@ -141,7 +141,7 @@ str_encodeURI(JSContext *cx, uintN argc, Value *vp);
 static JSBool
 str_encodeURI_Component(JSContext *cx, uintN argc, Value *vp);
 
-static const uint32 OVERLONG_UTF8 = UINT32_MAX;
+static const uint32 INVALID_UTF8 = UINT32_MAX;
 
 static uint32
 Utf8ToOneUcs4Char(const uint8 *utf8Buffer, int utf8Length);
@@ -5643,8 +5643,8 @@ Utf8ToOneUcs4Char(const uint8 *utf8Buffer, int utf8Length)
             JS_ASSERT((*utf8Buffer & 0xC0) == 0x80);
             ucs4Char = ucs4Char<<6 | (*utf8Buffer++ & 0x3F);
         }
-        if (JS_UNLIKELY(ucs4Char < minucs4Char)) {
-            ucs4Char = OVERLONG_UTF8;
+        if (JS_UNLIKELY(ucs4Char < minucs4Char || (ucs4Char >= 0xD800 && ucs4Char <= 0xDFFF))) {
+            ucs4Char = INVALID_UTF8;
         } else if (ucs4Char == 0xFFFE || ucs4Char == 0xFFFF) {
             ucs4Char = 0xFFFD;
         }

js/src/tests/ecma_5/Global/bug660612.js

@@ -0,0 +1,7 @@
+try {
+    decodeURIComponent('%ED%A0%80');
+    assertEq(true, false, "expected an URIError");
+} catch (e) {
+  assertEq(e instanceof URIError, true);
+  reportCompare(true,true);
+}

js/src/tests/ecma_5/Global/jstests.list

@@ -9,3 +9,4 @@ script parenthesized-eval-is-direct.js
 script eval-native-callback-is-indirect.js
 script direct-eval-but-not.js
 script eval-in-strict-eval-in-normal-function.js
+script bug660612.js