From 28110d4bfc613d875231d3d7788500d876136ffc Mon Sep 17 00:00:00 2001 From: "brian m. carlson" Date: Thu, 4 Jul 2013 17:19:43 +0000 Subject: commit: reject invalid UTF-8 codepoints The commit code already contains code for validating UTF-8, but it does not check for invalid values, such as guaranteed non-characters and surrogates. Fix this by explicitly checking for and rejecting such characters. Signed-off-by: brian m. carlson Signed-off-by: Junio C Hamano --- commit.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) (limited to 'commit.c') diff --git a/commit.c b/commit.c index 888e02ae2..b140af7e4 100644 --- a/commit.c +++ b/commit.c @@ -1244,6 +1244,7 @@ static int find_invalid_utf8(const char *buf, int len) while (len) { unsigned char c = *buf++; int bytes, bad_offset; + unsigned int codepoint; len--; offset++; @@ -1264,24 +1265,40 @@ static int find_invalid_utf8(const char *buf, int len) bytes++; } - /* Must be between 1 and 5 more bytes */ - if (bytes < 1 || bytes > 5) + /* + * Must be between 1 and 3 more bytes. Longer sequences result in + * codepoints beyond U+10FFFF, which are guaranteed never to exist. + */ + if (bytes < 1 || 3 < bytes) return bad_offset; /* Do we *have* that many bytes? */ if (len < bytes) return bad_offset; + /* Place the encoded bits at the bottom of the value. */ + codepoint = (c & 0x7f) >> bytes; + offset += bytes; len -= bytes; /* And verify that they are good continuation bytes */ do { + codepoint <<= 6; + codepoint |= *buf & 0x3f; if ((*buf++ & 0xc0) != 0x80) return bad_offset; } while (--bytes); - /* We could/should check the value and length here too */ + /* No codepoints can ever be allocated beyond U+10FFFF. */ + if (codepoint > 0x10ffff) + return bad_offset; + /* Surrogates are only for UTF-16 and cannot be encoded in UTF-8. */ + if ((codepoint & 0x1ff800) == 0xd800) + return bad_offset; + /* U+FFFE and U+FFFF are guaranteed non-characters. */ + if ((codepoint & 0x1ffffe) == 0xfffe) + return bad_offset; } return -1; } @@ -1292,8 +1309,8 @@ static int find_invalid_utf8(const char *buf, int len) * If it isn't, it assumes any non-utf8 characters are Latin1, * and does the conversion. * - * Fixme: we should probably also disallow overlong forms and - * invalid characters. But we don't do that currently. + * Fixme: we should probably also disallow overlong forms. + * But we don't do that currently. */ static int verify_utf8(struct strbuf *buf) { -- cgit v1.2.1 From e82bd6cc70db28dab8d0434e4033013adcd0abfa Mon Sep 17 00:00:00 2001 From: "brian m. carlson" Date: Thu, 4 Jul 2013 17:20:34 +0000 Subject: commit: reject overlong UTF-8 sequences The commit code accepts pseudo-UTF-8 sequences that encode a character with more bytes than necessary. Reject such sequences, since they are not valid UTF-8. Signed-off-by: brian m. carlson Signed-off-by: Junio C Hamano --- commit.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) (limited to 'commit.c') diff --git a/commit.c b/commit.c index b140af7e4..5097dba39 100644 --- a/commit.c +++ b/commit.c @@ -1240,11 +1240,15 @@ int commit_tree(const struct strbuf *msg, unsigned char *tree, static int find_invalid_utf8(const char *buf, int len) { int offset = 0; + static const unsigned int max_codepoint[] = { + 0x7f, 0x7ff, 0xffff, 0x10ffff + }; while (len) { unsigned char c = *buf++; int bytes, bad_offset; unsigned int codepoint; + unsigned int min_val, max_val; len--; offset++; @@ -1276,8 +1280,13 @@ static int find_invalid_utf8(const char *buf, int len) if (len < bytes) return bad_offset; - /* Place the encoded bits at the bottom of the value. */ + /* + * Place the encoded bits at the bottom of the value and compute the + * valid range. + */ codepoint = (c & 0x7f) >> bytes; + min_val = max_codepoint[bytes-1] + 1; + max_val = max_codepoint[bytes]; offset += bytes; len -= bytes; @@ -1290,8 +1299,8 @@ static int find_invalid_utf8(const char *buf, int len) return bad_offset; } while (--bytes); - /* No codepoints can ever be allocated beyond U+10FFFF. */ - if (codepoint > 0x10ffff) + /* Reject codepoints that are out of range for the sequence length. */ + if (codepoint < min_val || codepoint > max_val) return bad_offset; /* Surrogates are only for UTF-16 and cannot be encoded in UTF-8. */ if ((codepoint & 0x1ff800) == 0xd800) @@ -1308,9 +1317,6 @@ static int find_invalid_utf8(const char *buf, int len) * * If it isn't, it assumes any non-utf8 characters are Latin1, * and does the conversion. - * - * Fixme: we should probably also disallow overlong forms. - * But we don't do that currently. */ static int verify_utf8(struct strbuf *buf) { -- cgit v1.2.1 From 81050ac604e27395509b5bffe80692a14d6ad3cd Mon Sep 17 00:00:00 2001 From: Peter Krefting Date: Tue, 9 Jul 2013 12:16:33 +0100 Subject: commit: reject non-characters Unicode clause D14 defines all characters U+nFFFE and U+nFFFF (where 0 <= n <= 10h) as well as the range U+FDD0..U+FDEF as non-characters, reserved for internal use only. Disallow these characters in commit messages as they are normally not recommended for interchange. Signed-off-by: Peter Krefting Signed-off-by: Junio C Hamano --- commit.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'commit.c') diff --git a/commit.c b/commit.c index 5097dba39..7dcfeea2d 100644 --- a/commit.c +++ b/commit.c @@ -1305,8 +1305,11 @@ static int find_invalid_utf8(const char *buf, int len) /* Surrogates are only for UTF-16 and cannot be encoded in UTF-8. */ if ((codepoint & 0x1ff800) == 0xd800) return bad_offset; - /* U+FFFE and U+FFFF are guaranteed non-characters. */ - if ((codepoint & 0x1ffffe) == 0xfffe) + /* U+xxFFFE and U+xxFFFF are guaranteed non-characters. */ + if ((codepoint & 0xffffe) == 0xfffe) + return bad_offset; + /* So are anything in the range U+FDD0..U+FDEF. */ + if (codepoint >= 0xfdd0 && codepoint <= 0xfdef) return bad_offset; } return -1; -- cgit v1.2.1