From 9da408d15bdef624a5632182cb4edf98001fa82f Mon Sep 17 00:00:00 2001
From: Xiang Zhang <angwerzx@126.com>
Date: Tue, 9 May 2017 11:38:32 +0800
Subject: bpo-29990: Fix range checking in GB18030 decoder (#1495)

When decoding a 4-byte GB18030 sequence, the first and third byte cannot exceed 0xFE.
---
 Modules/cjkcodecs/_codecs_cn.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'Modules/cjkcodecs/_codecs_cn.c')

diff --git a/Modules/cjkcodecs/_codecs_cn.c b/Modules/cjkcodecs/_codecs_cn.c
index 1a070f2f39..bda175c55d 100644
--- a/Modules/cjkcodecs/_codecs_cn.c
+++ b/Modules/cjkcodecs/_codecs_cn.c
@@ -279,7 +279,9 @@ DECODER(gb18030)
             REQUIRE_INBUF(4);
             c3 = INBYTE3;
             c4 = INBYTE4;
-            if (c < 0x81 || c3 < 0x81 || c4 < 0x30 || c4 > 0x39)
+            if (c  < 0x81 || c  > 0xFE ||
+                c3 < 0x81 || c3 > 0xFE ||
+                c4 < 0x30 || c4 > 0x39)
                 return 1;
             c -= 0x81;  c2 -= 0x30;
             c3 -= 0x81; c4 -= 0x30;
-- 
cgit v1.2.1