Merging upstream version 125.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 8 insertions, 5 deletions

diff --git a/js/src/vm/CharacterEncoding.cpp b/js/src/vm/CharacterEncoding.cpp
index 79d28ab719..3d05275e2d 100644
--- a/js/src/vm/CharacterEncoding.cpp
+++ b/js/src/vm/CharacterEncoding.cpp
@@ -286,11 +286,6 @@ static bool InflateUTF8ToUTF16(JSContext* cx, const UTF8Chars& src,
         break;
       }
     } else {
-      // Non-ASCII code unit.  Determine its length in bytes (n).
-      uint32_t n = 1;
-      while (v & (0x80 >> n)) {
-        n++;
-      }
 
 #define INVALID(report, arg, n2)                                    \
   do {                                                              \
@@ -315,6 +310,14 @@ static bool InflateUTF8ToUTF16(JSContext* cx, const UTF8Chars& src,
     }                                                               \
   } while (0)
 
+      // Non-ASCII code unit. Determine its length in bytes (n).
+      //
+      // Avoid undefined behavior from passing in 0
+      // (https://gcc.gnu.org/onlinedocs/gcc/Other-Builtins.html#index-_005f_005fbuiltin_005fclz)
+      // by turning on the low bit so that 0xff will set n=31-24=7, which will
+      // be detected as an invalid character.
+      uint32_t n = mozilla::CountLeadingZeroes32(~int8_t(src[i]) | 0x1) - 24;
+
       // Check the leading byte.
       if (n < 2 || n > 4) {
         INVALID(ReportInvalidCharacter, i, 1);