net::registry_controlled_domains::GetRegistryLength returns the number of characters in the canonicalized URL (it internally canonicalizes).
But in the presence of IDN and escaped characters, canonicalization changes the length so the returned value can not be used as indices into the original string. Some callers do this.
For example, there is a Chinese TLD "中国". If you pass "foo.中国" as UTF-8 to GetRegistryLength it will return 10 because the Punycode version is "xn--fiqs8s". This will also be wrong for escaping like "foo.%53o," (0x53 = 'c').
template_url_service.cc even does GetRegistryLength(UTF16ToUTF8(host)) and then does operations based on the result. In this case, it expects an answer of 2, passes a TLD of length 6 (UTF-8), and gets a result of 10!
Comment 1 by bugdroid1@chromium.org
, Oct 26 2016