diff options
| author | Junio C Hamano <gitster@pobox.com> | 2013-07-18 12:58:19 -0700 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2013-07-18 12:58:19 -0700 |
| commit | 73f4c9a104ada33a06d38767404a04bbd4f86672 (patch) | |
| tree | 0b265457d25be9a1f8c217e8866b09438926425e /commit.c | |
| parent | 0d64cdf8e2d7a24bfa6d7246a75c5f207e088164 (diff) | |
| parent | 81050ac604e27395509b5bffe80692a14d6ad3cd (diff) | |
| download | git-73f4c9a104ada33a06d38767404a04bbd4f86672.tar.gz | |
Merge branch 'bc/commit-invalid-utf8'
Logic to auto-detect character encodings in the commit log message
did not reject overlong and invalid UTF-8 characters.
* bc/commit-invalid-utf8:
commit: reject non-characters
commit: reject overlong UTF-8 sequences
commit: reject invalid UTF-8 codepoints
Diffstat (limited to 'commit.c')
| -rw-r--r-- | commit.c | 38 |
1 files changed, 32 insertions, 6 deletions
@@ -1350,10 +1350,15 @@ int commit_tree(const struct strbuf *msg, unsigned char *tree, static int find_invalid_utf8(const char *buf, int len) { int offset = 0; + static const unsigned int max_codepoint[] = { + 0x7f, 0x7ff, 0xffff, 0x10ffff + }; while (len) { unsigned char c = *buf++; int bytes, bad_offset; + unsigned int codepoint; + unsigned int min_val, max_val; len--; offset++; @@ -1374,24 +1379,48 @@ static int find_invalid_utf8(const char *buf, int len) bytes++; } - /* Must be between 1 and 5 more bytes */ - if (bytes < 1 || bytes > 5) + /* + * Must be between 1 and 3 more bytes. Longer sequences result in + * codepoints beyond U+10FFFF, which are guaranteed never to exist. + */ + if (bytes < 1 || 3 < bytes) return bad_offset; /* Do we *have* that many bytes? */ if (len < bytes) return bad_offset; + /* + * Place the encoded bits at the bottom of the value and compute the + * valid range. + */ + codepoint = (c & 0x7f) >> bytes; + min_val = max_codepoint[bytes-1] + 1; + max_val = max_codepoint[bytes]; + offset += bytes; len -= bytes; /* And verify that they are good continuation bytes */ do { + codepoint <<= 6; + codepoint |= *buf & 0x3f; if ((*buf++ & 0xc0) != 0x80) return bad_offset; } while (--bytes); - /* We could/should check the value and length here too */ + /* Reject codepoints that are out of range for the sequence length. */ + if (codepoint < min_val || codepoint > max_val) + return bad_offset; + /* Surrogates are only for UTF-16 and cannot be encoded in UTF-8. */ + if ((codepoint & 0x1ff800) == 0xd800) + return bad_offset; + /* U+xxFFFE and U+xxFFFF are guaranteed non-characters. */ + if ((codepoint & 0xffffe) == 0xfffe) + return bad_offset; + /* So are anything in the range U+FDD0..U+FDEF. */ + if (codepoint >= 0xfdd0 && codepoint <= 0xfdef) + return bad_offset; } return -1; } @@ -1401,9 +1430,6 @@ static int find_invalid_utf8(const char *buf, int len) * * If it isn't, it assumes any non-utf8 characters are Latin1, * and does the conversion. - * - * Fixme: we should probably also disallow overlong forms and - * invalid characters. But we don't do that currently. */ static int verify_utf8(struct strbuf *buf) { |