File libidn-CVE-2016-6263.patch of Package libidn

Overview Repositories Revisions Requests Users Attributes Meta

File libidn-CVE-2016-6263.patch of Package libidn

From 1fbee57ef3c72db2206dd87e4162108b2f425555 Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Thu, 14 Jan 2016 13:31:33 +0000
Subject: stringprep_utf8_nfkc_normalize: Reject invalid UTF8 instead of crashing.

Also add regression self check.  Reported by Hanno Böck.
---
Index: libidn-1.28/lib/nfkc.c
===================================================================
--- libidn-1.28.orig/lib/nfkc.c
+++ libidn-1.28/lib/nfkc.c
@@ -1086,6 +1086,16 @@ stringprep_ucs4_to_utf8 (const uint32_t
 char *
 stringprep_utf8_nfkc_normalize (const char *str, ssize_t len)
 {
+  size_t n;
+
+  if (len < 0)
+    n = strlen (str);
+  else
+    n = len;
+
+  if (u8_check ((const uint8_t *) str, n))
+    return NULL;
+
   return g_utf8_normalize (str, len, G_NORMALIZE_NFKC);
 }
 
Index: libidn-1.28/tests/Makefile.am
===================================================================
--- libidn-1.28.orig/tests/Makefile.am
+++ libidn-1.28/tests/Makefile.am
@@ -27,7 +27,8 @@ libutils_a_SOURCES = utils.h utils.c
 
 ctests = tst_stringprep tst_punycode tst_idna tst_idna2 tst_idna3	\
 	tst_idna4 tst_nfkc tst_pr29 tst_strerror tst_toutf8		\
-	tst_symbols tst_badutf8 tst_utf8crash tst_toascii64oob
+	tst_symbols tst_badutf8 tst_utf8crash tst_toascii64oob		\
+	tst_badutf8nfkc
 if TLD
 ctests += tst_tld
 endif
Index: libidn-1.28/tests/tst_badutf8nfkc.c
===================================================================
--- /dev/null
+++ libidn-1.28/tests/tst_badutf8nfkc.c
@@ -0,0 +1,41 @@
+/* tst_badutf8nfkc.c --- Self tests for malformed UTF-8 NFKC input.
+ * Copyright (C) 2016 Simon Josefsson
+ *
+ * This file is part of GNU Libidn.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <string.h>
+#include <stdlib.h>
+
+#include <stringprep.h>
+
+#include "utils.h"
+
+void
+doit (void)
+{
+  char *badutf8 = strdup ("\xe4");
+  char *s = NULL;
+
+  s = stringprep_utf8_nfkc_normalize (badutf8, -1);
+  free (s);
+  free (badutf8);
+}

Places

File libidn-CVE-2016-6263.patch of Package libidn

Places