From 44be64f09991e705c1f2a3baf0aafcb01c890406 Mon Sep 17 00:00:00 2001
From: drepper <drepper>
Date: Mon, 18 Sep 2000 17:53:38 +0000
Subject: [PATCH] (BODY for TO_LOOP): Reject UCS-4 input in the range
 0xD800..0xDFFF.

---
 iconvdata/utf-16.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/iconvdata/utf-16.c b/iconvdata/utf-16.c
index 77dc3c0068..aa0d00c119 100644
--- a/iconvdata/utf-16.c
+++ b/iconvdata/utf-16.c
@@ -196,6 +196,22 @@ gconv_end (struct __gconv_step *data)
   {									      \
     uint32_t c = get32 (inptr);						      \
 									      \
+    if (__builtin_expect (c >= 0xd800 && c < 0xe000, 0))		      \
+      {									      \
+	/* Surrogate characters in UCS-4 input are not valid.		      \
+	   We must catch this.  If we let surrogates pass through,	      \
+	   attackers could make a security hole exploit by		      \
+	   synthesizing any desired plane 1-16 character.  */		      \
+	if (! ignore_errors_p ())					      \
+	  {								      \
+	    result = __GCONV_ILLEGAL_INPUT;				      \
+	    break;							      \
+	  }								      \
+	inptr += 4;							      \
+	++*irreversible;						      \
+	continue;							      \
+      }									      \
+									      \
     if (swap)								      \
       {									      \
 	if (__builtin_expect (c, 0) >= 0x10000)				      \
-- 
2.11.0