40 lines
1.3 KiB
Diff
40 lines
1.3 KiB
Diff
From bd4d04075fa126552b31cd11aaa50dad72119e6a Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
|
|
Date: Fri, 6 Jul 2018 13:05:56 +0200
|
|
Subject: [PATCH 2/3] Check codepoint validity in punycode_decode() and
|
|
punycode_decode()
|
|
|
|
These functions were able to generate invalid unicode values resp.
|
|
invalid punycode. This is undocumented/unexpected behavior that can
|
|
lead to security vulns.
|
|
|
|
Reported-by: Mike Schiffman (Farsight Security, Inc.)
|
|
---
|
|
lib/punycode.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/lib/punycode.c b/lib/punycode.c
|
|
index d475b6d..f7c63e6 100644
|
|
--- a/lib/punycode.c
|
|
+++ b/lib/punycode.c
|
|
@@ -228,6 +228,8 @@ punycode_encode (size_t input_length,
|
|
output[out++] = case_flags ?
|
|
encode_basic (input[j], case_flags[j]) : (char) input[j];
|
|
}
|
|
+ else if (input[j] > 0x10FFFF)
|
|
+ return punycode_bad_input;
|
|
/* else if (input[j] < n) return punycode_bad_input; */
|
|
/* (not needed for Punycode with unsigned code points) */
|
|
}
|
|
@@ -418,6 +420,8 @@ punycode_decode (size_t input_length,
|
|
if (i / (out + 1) > maxint - n)
|
|
return punycode_overflow;
|
|
n += i / (out + 1);
|
|
+ if (n > 0x10FFFF)
|
|
+ return punycode_bad_input;
|
|
i %= (out + 1);
|
|
|
|
/* Insert n at position i of the output: */
|
|
--
|
|
1.8.3.1
|