diff options
| author |  brian m. carlson <sandals@crustytoothpaste.net> | 2013-07-04 17:19:43 +0000 |
|---|---|---|
| committer |  Junio C Hamano <gitster@pobox.com> | 2013-07-04 21:45:18 -0700 |
| commit | 28110d4bfc613d875231d3d7788500d876136ffc (patch) | |
| tree | a67b9e74f1df050de67d2026ec56a03c93709cbd | |
| parent | Update draft release notes to 1.8.3.3 (diff) | |
| download | tgif-28110d4bfc613d875231d3d7788500d876136ffc.tar.xz | |
commit: reject invalid UTF-8 codepoints
The commit code already contains code for validating UTF-8, but it does not
check for invalid values, such as guaranteed non-characters and surrogates. Fix
this by explicitly checking for and rejecting such characters.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| -rw-r--r-- | commit.c | 27 | ||||
| -rwxr-xr-x | t/t3900-i18n-commit.sh | 8 |
2 files changed, 30 insertions, 5 deletions
@@ -1244,6 +1244,7 @@ static int find_invalid_utf8(const char *buf, int len) while (len) { unsigned char c = *buf++; int bytes, bad_offset; + unsigned int codepoint; len--; offset++; @@ -1264,24 +1265,40 @@ static int find_invalid_utf8(const char *buf, int len) bytes++; } - /* Must be between 1 and 5 more bytes */ - if (bytes < 1 || bytes > 5) + /* + * Must be between 1 and 3 more bytes. Longer sequences result in + * codepoints beyond U+10FFFF, which are guaranteed never to exist. + */ + if (bytes < 1 || 3 < bytes) return bad_offset; /* Do we *have* that many bytes? */ if (len < bytes) return bad_offset; + /* Place the encoded bits at the bottom of the value. */ + codepoint = (c & 0x7f) >> bytes; + offset += bytes; len -= bytes; /* And verify that they are good continuation bytes */ do { + codepoint <<= 6; + codepoint |= *buf & 0x3f; if ((*buf++ & 0xc0) != 0x80) return bad_offset; } while (--bytes); - /* We could/should check the value and length here too */ + /* No codepoints can ever be allocated beyond U+10FFFF. */ + if (codepoint > 0x10ffff) + return bad_offset; + /* Surrogates are only for UTF-16 and cannot be encoded in UTF-8. */ + if ((codepoint & 0x1ff800) == 0xd800) + return bad_offset; + /* U+FFFE and U+FFFF are guaranteed non-characters. */ + if ((codepoint & 0x1ffffe) == 0xfffe) + return bad_offset; } return -1; } @@ -1292,8 +1309,8 @@ static int find_invalid_utf8(const char *buf, int len) * If it isn't, it assumes any non-utf8 characters are Latin1, * and does the conversion. * - * Fixme: we should probably also disallow overlong forms and - * invalid characters. But we don't do that currently. + * Fixme: we should probably also disallow overlong forms. + * But we don't do that currently. */ static int verify_utf8(struct strbuf *buf) { diff --git a/t/t3900-i18n-commit.sh b/t/t3900-i18n-commit.sh index 37ddabba2d..687669f28d 100755 --- a/t/t3900-i18n-commit.sh +++ b/t/t3900-i18n-commit.sh @@ -39,6 +39,14 @@ test_expect_failure 'UTF-16 refused because of NULs' ' git commit -a -F "$TEST_DIRECTORY"/t3900/UTF-16.txt ' +test_expect_success 'UTF-8 invalid characters refused' ' + test_when_finished "rm -f $HOME/stderr $HOME/invalid" && + echo "UTF-8 characters" >F && + printf "Commit message\n\nInvalid surrogate:\355\240\200\n" \ + >"$HOME/invalid" && + git commit -a -F "$HOME/invalid" 2>"$HOME"/stderr && + grep "did not conform" "$HOME"/stderr +' for H in ISO8859-1 eucJP ISO-2022-JP do |