diff options
| author | Anjali Nijhara <a.nijhara@samsung.com> | 2023-03-23 14:06:34 +0530 |
|---|---|---|
| committer | Anjali Nijhara <a.nijhara@samsung.com> | 2023-03-23 16:37:01 +0530 |
| commit | 56da2f7a20abb051e4227a37fb8f1be77e5323f3 (patch) | |
| tree | ea8bfb8bb25c772f1c7ac6956062264f56eff7a2 | |
| parent | 9ea5010a88fdb102a5e0a63ea4c806de6092d473 (diff) | |
| download | libidn-tizen.tar.gz libidn-tizen.tar.bz2 libidn-tizen.zip | |
[CVE-2016-6263] stringprep_utf8_nfkc_normalize: Reject invalid UTF8 instead of crashingtizen
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1fbee57ef3c72db2206dd87e4162108b2f425555
Change-Id: Iee11ba2f143c48cfcd5ba114a2d887aaa4262380
| -rw-r--r-- | lib/nfkc.c | 10 | ||||
| -rw-r--r-- | tests/Makefile.am | 2 | ||||
| -rw-r--r-- | tests/tst_badutf8nfkc.c | 40 |
3 files changed, 51 insertions, 1 deletions
@@ -1026,6 +1026,16 @@ stringprep_ucs4_to_utf8 (const uint32_t * str, ssize_t len, char * stringprep_utf8_nfkc_normalize (const char *str, ssize_t len) { + size_t n; + + if (len < 0) + n = strlen (str); + else + n = len; + + if (u8_check ((const uint8_t *) str, n)) + return NULL; + return g_utf8_normalize (str, len, G_NORMALIZE_NFKC); } diff --git a/tests/Makefile.am b/tests/Makefile.am index 62804d8..1c7cd40 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -27,7 +27,7 @@ libutils_a_SOURCES = utils.h utils.c ctests = tst_stringprep tst_punycode tst_idna tst_idna2 tst_idna3 \ tst_idna4 tst_nfkc tst_pr29 tst_strerror tst_toutf8 \ - tst_symbols + tst_symbols tst_badutf8nfkc \ if TLD ctests += tst_tld endif diff --git a/tests/tst_badutf8nfkc.c b/tests/tst_badutf8nfkc.c new file mode 100644 index 0000000..aa79c2e --- /dev/null +++ b/tests/tst_badutf8nfkc.c @@ -0,0 +1,40 @@ +/* tst_badutf8nfkc.c --- Self tests for malformed UTF-8 NFKC input. + * Copyright (C) 2016 Simon Josefsson + * + * This file is part of GNU Libidn. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include <string.h> +#include <stdlib.h> + +#include <stringprep.h> + +#include "utils.h" + +void +doit (void) +{ + char *badutf8 = strdup ("\xe4"); + char *s = NULL; + + s = stringprep_utf8_nfkc_normalize (badutf8, -1); + free (s); + free (badutf8); +} |