From 8f06ab0eb9c22998a47803938588bb0b13092a0b Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Mon, 8 Apr 2013 22:29:46 -0400
Subject: fix out-of-bounds access in UTF-8 decoding

SA and SB are used as the lowest and highest valid starter bytes, but
the value of SB was one-past the last valid starter. this caused
access past the end of the state table when the illegal byte '\xf5'
was encountered in a starter position. the error did not show up in
full-character decoding tests, since the bogus state read from just
past the table was unlikely to admit any continuation bytes as valid,
but would have shown up had we tested feeding '\xf5' to the
byte-at-a-time decoding in mbrtowc: it would cause the funtion to
wrongly return -2 rather than -1.

I may eventually go back and remove all references to SA and SB,
replacing them with the values; this would make the code more
transparent, I think. the original motivation for using macros was to
allow misguided users of the code to redefine them for the purpose of
enlarging the set of accepted sequences past the end of Unicode...
---
 src/multibyte/internal.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/multibyte')

diff --git a/src/multibyte/internal.h b/src/multibyte/internal.h
index cd1196ba..25ba240e 100644
--- a/src/multibyte/internal.h
+++ b/src/multibyte/internal.h
@@ -19,4 +19,4 @@ extern const uint32_t bittab[] ATTR_LIBC_VISIBILITY;
 #define FAILSTATE R(0x80,0x80)
 
 #define SA 0xc2u
-#define SB 0xf5u
+#define SB 0xf4u
-- 
cgit v1.2.1