summaryrefslogtreecommitdiff
path: root/iconvdata/unicode.c
diff options
context:
space:
mode:
Diffstat (limited to 'iconvdata/unicode.c')
-rw-r--r--iconvdata/unicode.c32
1 files changed, 32 insertions, 0 deletions
diff --git a/iconvdata/unicode.c b/iconvdata/unicode.c
index 52c2c9dbdf..b8ea905de3 100644
--- a/iconvdata/unicode.c
+++ b/iconvdata/unicode.c
@@ -154,6 +154,23 @@ gconv_end (struct __gconv_step *data)
{ \
STANDARD_ERR_HANDLER (4); \
} \
+ else if (__builtin_expect (c >= 0xd800 && c < 0xe000, 0)) \
+ { \
+ /* Surrogate characters in UCS-4 input are not valid. \
+ We must catch this, because the UCS-2 output might be \
+ interpreted as UTF-16 by other programs. If we let \
+ surrogates pass through, attackers could make a security \
+ hole exploit by synthesizing any desired plane 1-16 \
+ character. */ \
+ if (! ignore_errors_p ()) \
+ { \
+ result = __GCONV_ILLEGAL_INPUT; \
+ break; \
+ } \
+ inptr += 4; \
+ ++*irreversible; \
+ continue; \
+ } \
else \
{ \
put16 (outptr, c); \
@@ -179,11 +196,26 @@ gconv_end (struct __gconv_step *data)
if (swap) \
u1 = bswap_16 (u1); \
\
+ if (__builtin_expect (u1 >= 0xd800 && u1 < 0xe000, 0)) \
+ { \
+ /* Surrogate characters in UCS-2 input are not valid. Reject \
+ them. (Catching this here is not security relevant.) */ \
+ if (! ignore_errors_p ()) \
+ { \
+ result = __GCONV_ILLEGAL_INPUT; \
+ break; \
+ } \
+ inptr += 2; \
+ ++*irreversible; \
+ continue; \
+ } \
+ \
put32 (outptr, u1); \
\
inptr += 2; \
outptr += 4; \
}
+#define LOOP_NEED_FLAGS
#define EXTRA_LOOP_DECLS \
, int swap
#include <iconv/loop.c>