diff options
| author | Michael Schröder <mls@suse.de> | 2022-02-02 00:43:14 +0200 |
|---|---|---|
| committer | Alexander Naumov <alexander_naumov@opensuse.org> | 2022-02-02 00:43:14 +0200 |
| commit | 3aa385ea5279c77986ee2eece4289dce890612cb (patch) | |
| tree | 8d8ae62d047194fe3a8a666d84abe6d632d5737b | |
| parent | 8d19c07b28e4ce687305462b20861db69cbb1085 (diff) | |
| download | screen-3aa385ea5279c77986ee2eece4289dce890612cb.tar.gz | |
bugfix CVE-2021-26937
It allows remote attackers to cause a denial of service
(invalid write access and application crash) or possibly
have unspecified other impact via a crafted UTF-8
character sequence.
bugfix: https://savannah.gnu.org/bugs/?60030
Signed-off-by: Alexander Naumov <alexander_naumov@opensuse.org>
| -rw-r--r-- | src/encoding.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/src/encoding.c b/src/encoding.c index 11c3c41..7f03a12 100644 --- a/src/encoding.c +++ b/src/encoding.c @@ -35,7 +35,7 @@ static int encmatch(char *, char *); static int recode_char(int, int, int); static int recode_char_to_encoding(int, int); -static void comb_tofront(int, int); +static void comb_tofront(int); static int recode_char_dw(int, int *, int, int); static int recode_char_dw_to_encoding(int, int *, int); @@ -1044,6 +1044,8 @@ bool utf8_isdouble(uint32_t c) {0x30000, 0x3FFFD}, }; + if (c >= 0xdf00 && c <= 0xdfff) + return 1; /* dw combining sequence */ return ((bisearch(c, wide, ARRAY_SIZE(wide) - 1)) || (cjkwidth && bisearch(c, ambiguous, ARRAY_SIZE(ambiguous) - 1))); } @@ -1105,9 +1107,10 @@ bool utf8_iscomb(uint32_t c) return bisearch(c, combining, ARRAY_SIZE(combining) - 1); } -static void comb_tofront(int root, int i) +static void comb_tofront(int i) { for (;;) { + int root = i >= 0x700 ? 0x801 : 0x800; combchars[combchars[i]->prev]->next = combchars[i]->next; combchars[combchars[i]->next]->prev = combchars[i]->prev; combchars[i]->next = combchars[root]->next; @@ -1162,9 +1165,9 @@ void utf8_handle_comb(unsigned int c, struct mchar *mc) if (i == combchars[root]->c2) { /* full, recycle old entry */ if (c1 >= 0xd800 && c1 < 0xe000) - comb_tofront(root, c1 - 0xd800); + comb_tofront(c1 - 0xd800); i = combchars[root]->prev; - if (c1 == i + 0xd800) { + if (i == 0x800 || i == 0x801 || c1 == i + 0xd800) { /* completely full, can't recycle */ mc->image = '?'; mc->font = 0; @@ -1182,7 +1185,7 @@ void utf8_handle_comb(unsigned int c, struct mchar *mc) combchars[i]->c2 = c; mc->image = i & 0xff; mc->font = (i >> 8) + 0xd8; - comb_tofront(root, i); + comb_tofront(i); } static int encmatch(char *s1, char *s2) |