From 282f691f5e57b6bf55ba51ad8c2be2cce8edb938 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Tue, 18 Jun 2024 18:22:55 +0100 Subject: [PATCH] Bug 707788: Fix decode_utf8 to forbid overlong encodings. These can be used by malicious code to escape directories. CVE-2024-46954 --- base/gp_utf8.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/base/gp_utf8.c b/base/gp_utf8.c index c33fc3550..b78977e37 100644 --- a/base/gp_utf8.c +++ b/base/gp_utf8.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2023 Artifex Software, Inc. +/* Copyright (C) 2001-2024 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -25,12 +25,16 @@ decode_utf8(const char **inp, unsigned int i) if (i < 0x80) { } else if ((i & 0xE0) == 0xC0) { i &= 0x1F; + if (i == 0) + goto fail_overlong; c = (unsigned char)*in++; if ((c & 0xC0) != 0x80) goto fail; i = (i<<6) | (c & 0x3f); } else if ((i & 0xF0) == 0xE0) { i &= 0xF; + if (i == 0) + goto fail_overlong; c = (unsigned char)*in++; if ((c & 0xC0) != 0x80) goto fail; @@ -41,6 +45,8 @@ decode_utf8(const char **inp, unsigned int i) i = (i<<6) | (c & 0x3f); } else if ((i & 0xF8) == 0xF0) { i &= 0x7; + if (i == 0) + goto fail_overlong; c = (unsigned char)*in++; if ((c & 0xC0) != 0x80) goto fail; @@ -59,6 +65,11 @@ decode_utf8(const char **inp, unsigned int i) /* If we fail, unread the last one, and return the unicode replacement char. */ fail: in--; +fail_overlong: + /* If we jump to here it's because we've detected an 'overlong' encoding. + * While this seems harmless, it's actually illegal, for good reason; + * this is typically an attempt to sneak stuff past security checks, like + * "../" in paths. Fail this. */ i = 0xfffd; } *inp = in; -- 2.49.0