diff options
| author | brian m. carlson <sandals@crustytoothpaste.net> | 2013-07-04 17:20:34 +0000 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2013-07-04 21:48:45 -0700 |
| commit | e82bd6cc70db28dab8d0434e4033013adcd0abfa (patch) | |
| tree | 73528ed434954b799e4bf4cd2631fba2326d990e /commit.c | |
| parent | 28110d4bfc613d875231d3d7788500d876136ffc (diff) | |
| download | git-e82bd6cc70db28dab8d0434e4033013adcd0abfa.tar.gz | |
commit: reject overlong UTF-8 sequences
The commit code accepts pseudo-UTF-8 sequences that encode a character with more
bytes than necessary. Reject such sequences, since they are not valid UTF-8.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'commit.c')
| -rw-r--r-- | commit.c | 18 |
1 files changed, 12 insertions, 6 deletions
@@ -1240,11 +1240,15 @@ int commit_tree(const struct strbuf *msg, unsigned char *tree, static int find_invalid_utf8(const char *buf, int len) { int offset = 0; + static const unsigned int max_codepoint[] = { + 0x7f, 0x7ff, 0xffff, 0x10ffff + }; while (len) { unsigned char c = *buf++; int bytes, bad_offset; unsigned int codepoint; + unsigned int min_val, max_val; len--; offset++; @@ -1276,8 +1280,13 @@ static int find_invalid_utf8(const char *buf, int len) if (len < bytes) return bad_offset; - /* Place the encoded bits at the bottom of the value. */ + /* + * Place the encoded bits at the bottom of the value and compute the + * valid range. + */ codepoint = (c & 0x7f) >> bytes; + min_val = max_codepoint[bytes-1] + 1; + max_val = max_codepoint[bytes]; offset += bytes; len -= bytes; @@ -1290,8 +1299,8 @@ static int find_invalid_utf8(const char *buf, int len) return bad_offset; } while (--bytes); - /* No codepoints can ever be allocated beyond U+10FFFF. */ - if (codepoint > 0x10ffff) + /* Reject codepoints that are out of range for the sequence length. */ + if (codepoint < min_val || codepoint > max_val) return bad_offset; /* Surrogates are only for UTF-16 and cannot be encoded in UTF-8. */ if ((codepoint & 0x1ff800) == 0xd800) @@ -1308,9 +1317,6 @@ static int find_invalid_utf8(const char *buf, int len) * * If it isn't, it assumes any non-utf8 characters are Latin1, * and does the conversion. - * - * Fixme: we should probably also disallow overlong forms. - * But we don't do that currently. */ static int verify_utf8(struct strbuf *buf) { |