Closed Bug 74198 Opened 24 years ago Closed 24 years ago

NS_ConvertUTF8toUCS2() accepts overlong sequences

Categories

(Core :: XPCOM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: jgmyers, Assigned: jgmyers)

References

Details

Attachments

(3 files)

NS_ConvertUFF8toUCS2() suffers from the problem described in bug 50702.
Attached patch Proposed fix (deleted) — Splinter Review
sr=scc
An alternate fix would be to follow the following ABNF grammar. The grammar allows U+FFFF. Only U+FFFE is currently considered security critical, it currently doesn't matter whether or not U+FFFF is decoded. UTF8 = UTF8-1 / UTF8-multibyte UTF8-multibyte = UTF8-2 / UTF8-3 / UTF8-4 / UTF8-5 / UTF8-6 UTF8-following = %x80-BF UTF8-1 = %x00-7F UTF8-2 = %xC2-DF UTF8-following ; Disallow overlong sequences beginning with 0xC0 and 0xC1. UTF8-3 = (%xE0 %xA0-BF UTF8-following) / (%xE1-EC 2UTF8-following) / (%xED %x80-9F UTF8-following) / (%xEE 2UTF8-following) / (%xEF %x80-BE UTF8-loworder) / (%xEF %xBF %x80-BD) / (%xEF %xBF %xBF) ; Disallow overlong sequences beginning with 0xE0, ; disallow encoded surrogate code points, and ; disallow reverse UTF-16 byte-order mark U+FFFE UTF8-4 = (%xF0 %x90-BF 2UTF8-following) / (%xF1-F7 3UTF8-following) ; Disallow overlong sequences beginning with 0xF0. UTF8-5 = (%xF8 %x88-BF 3UTF8-following) / (%xF9-FB 4UTF8-following) ; Disallow overlong sequences beginning with 0xF8. UTF8-6 = (%xFC %x84-BF 4UTF8-following) / (%xFD 5UTF8-following) ; Disallow overlong sequences beginning with 0xFC.
r=jag on this patch. Could you look into your suggestion and see what changes it results in to the current code?
Attached patch Untested table-based decoder (deleted) — Splinter Review
Attached patch Revised table based decoder. (deleted) — Splinter Review
Fix was checked in.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
*** Bug 86411 has been marked as a duplicate of this bug. ***
Component: String → XPCOM
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: