Index: kjs/function.cpp
===================================================================
--- kjs/function.cpp	(revision 495921)
+++ kjs/function.cpp	(working copy)
@@ -77,7 +77,8 @@ UString encodeURI(ExecState *exec, UStri
       }
       else if (C.uc >= 0xD800 && C.uc <= 0xDBFF) {
 
-	if (k == string.size()) {
+        // we need two chars
+	if (k + 1 >= string.size()) {
 	  Object err = Error::create(exec,URIError);
 	  exec->setException(err);
 	  free(encbuf);
@@ -197,6 +198,10 @@ UString decodeURI(ExecState *exec, UStri
     }
 
     k += 2;
+
+    if (decbufLen+2 >= decbufAlloc)
+        decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
+
     if ((B & 0x80) == 0) {
       // Single-byte character
       C = B;
@@ -257,6 +262,12 @@ UString decodeURI(ExecState *exec, UStri
 	assert(n == 4);
 	unsigned long uuuuu = ((octets[0] & 0x07) << 2) | ((octets[1] >> 4) & 0x03);
 	unsigned long vvvv = uuuuu-1;
+	if (vvvv > 0x0F) {
+          Object err = Error::create(exec,URIError);
+	  exec->setException(err);
+	  free(decbuf);
+	  return UString();
+	}        
 	unsigned long wwww = octets[1] & 0x0F;
 	unsigned long xx = (octets[2] >> 4) & 0x03;
 	unsigned long yyyy = octets[2] & 0x0F;
@@ -270,9 +281,7 @@ UString decodeURI(ExecState *exec, UStri
     }
 
     if (reservedSet.find(C) < 0) {
-      if (decbufLen+1 >= decbufAlloc)
-	decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
-      decbuf[decbufLen++] = C;
+        decbuf[decbufLen++] = C;
     }
     else {
       while (decbufLen+k-start >= decbufAlloc)