commit: reject overlong UTF-8 sequences

The commit code accepts pseudo-UTF-8 sequences that encode a character with more
bytes than necessary.  Reject such sequences, since they are not valid UTF-8.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/commit.c b/commit.c
index b140af7e449c0dfce54733bd66747a7e7acc784a..5097dba3928fe7ca19f0010cd1fe8db6fd5d3622 100644 (file)
--- a/commit.c
+++ b/commit.c
@@ -1240,11 +1240,15 @@ int commit_tree(const struct strbuf *msg, unsigned char *tree,
 static int find_invalid_utf8(const char *buf, int len)
 {
        int offset = 0;
+       static const unsigned int max_codepoint[] = {
+               0x7f, 0x7ff, 0xffff, 0x10ffff
+       };
 
        while (len) {
                unsigned char c = *buf++;
                int bytes, bad_offset;
                unsigned int codepoint;
+               unsigned int min_val, max_val;
 
                len--;
                offset++;
@@ -1276,8 +1280,13 @@ static int find_invalid_utf8(const char *buf, int len)
                if (len < bytes)
                        return bad_offset;
 
-               /* Place the encoded bits at the bottom of the value. */
+               /*
+                * Place the encoded bits at the bottom of the value and compute the
+                * valid range.
+                */
                codepoint = (c & 0x7f) >> bytes;
+               min_val = max_codepoint[bytes-1] + 1;
+               max_val = max_codepoint[bytes];
 
                offset += bytes;
                len -= bytes;
@@ -1290,8 +1299,8 @@ static int find_invalid_utf8(const char *buf, int len)
                                return bad_offset;
                } while (--bytes);
 
-               /* No codepoints can ever be allocated beyond U+10FFFF. */
-               if (codepoint > 0x10ffff)
+               /* Reject codepoints that are out of range for the sequence length. */
+               if (codepoint < min_val || codepoint > max_val)
                        return bad_offset;
                /* Surrogates are only for UTF-16 and cannot be encoded in UTF-8. */
                if ((codepoint & 0x1ff800) == 0xd800)
@@ -1308,9 +1317,6 @@ static int find_invalid_utf8(const char *buf, int len)
  *
  * If it isn't, it assumes any non-utf8 characters are Latin1,
  * and does the conversion.
- *
- * Fixme: we should probably also disallow overlong forms.
- * But we don't do that currently.
  */
 static int verify_utf8(struct strbuf *buf)
 {

diff --git a/t/t3900-i18n-commit.sh b/t/t3900-i18n-commit.sh
index 687669f28d930cb217f54b6f207f41a1835e17b7..051ea9d3c289d825601aed0a3055b1565370dc3a 100755 (executable)
--- a/t/t3900-i18n-commit.sh
+++ b/t/t3900-i18n-commit.sh
@@ -48,6 +48,16 @@ test_expect_success 'UTF-8 invalid characters refused' '
        grep "did not conform" "$HOME"/stderr
 '
 
+test_expect_success 'UTF-8 overlong sequences rejected' '
+       test_when_finished "rm -f $HOME/stderr $HOME/invalid" &&
+       rm -f "$HOME/stderr" "$HOME/invalid" &&
+       echo "UTF-8 overlong" >F &&
+       printf "\340\202\251ommit message\n\nThis is not a space:\300\240\n" \
+               >"$HOME/invalid" &&
+       git commit -a -F "$HOME/invalid" 2>"$HOME"/stderr &&
+       grep "did not conform" "$HOME"/stderr
+'
+
 for H in ISO8859-1 eucJP ISO-2022-JP
 do
        test_expect_success "$H setup" '