(BODY for TO_LOOP): Reject UCS-4 input in the range 0xD800..0xDFFF.
authordrepper <drepper>
Mon, 18 Sep 2000 17:53:38 +0000 (17:53 +0000)
committerdrepper <drepper>
Mon, 18 Sep 2000 17:53:38 +0000 (17:53 +0000)
iconvdata/utf-16.c

index 77dc3c0..aa0d00c 100644 (file)
@@ -196,6 +196,22 @@ gconv_end (struct __gconv_step *data)
   {                                                                          \
     uint32_t c = get32 (inptr);                                                      \
                                                                              \
+    if (__builtin_expect (c >= 0xd800 && c < 0xe000, 0))                     \
+      {                                                                              \
+       /* Surrogate characters in UCS-4 input are not valid.                 \
+          We must catch this.  If we let surrogates pass through,            \
+          attackers could make a security hole exploit by                    \
+          synthesizing any desired plane 1-16 character.  */                 \
+       if (! ignore_errors_p ())                                             \
+         {                                                                   \
+           result = __GCONV_ILLEGAL_INPUT;                                   \
+           break;                                                            \
+         }                                                                   \
+       inptr += 4;                                                           \
+       ++*irreversible;                                                      \
+       continue;                                                             \
+      }                                                                              \
+                                                                             \
     if (swap)                                                                \
       {                                                                              \
        if (__builtin_expect (c, 0) >= 0x10000)                               \