Correct OOB read (#323)

eschnett · web-flow · commit 2cf0bf5ba10c · 2025-12-30T11:53:28.000-05:00
* Correct OOB read

* Record PR number
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -5,14 +5,14 @@ include (utils.cmake)
 disallow_intree_builds()
 
 # API version - be sure to update utf8proc.h and Makefile, too!
-project (utf8proc VERSION 2.11.2 LANGUAGES C)
+project (utf8proc VERSION 2.11.3 LANGUAGES C)
 
 # This is the ABI version number, which may differ from the
 # API version number (defined in utf8proc.h and above).
 # Be sure to also update these in Makefile and MANIFEST!
 set(SO_MAJOR 3)
 set(SO_MINOR 2)
-set(SO_PATCH 2)
+set(SO_PATCH 3)
 
 option(UTF8PROC_INSTALL "Enable installation of utf8proc" On)
 option(UTF8PROC_ENABLE_TESTING "Enable testing of utf8proc" Off)
diff --git a/MANIFEST b/MANIFEST
@@ -2,8 +2,8 @@ include/
 include/utf8proc.h
 lib/
 lib/libutf8proc.a
-lib/libutf8proc.so -> libutf8proc.so.3.2.2
-lib/libutf8proc.so.2 -> libutf8proc.so.3.2.2
-lib/libutf8proc.so.3.2.2
+lib/libutf8proc.so -> libutf8proc.so.3.2.3
+lib/libutf8proc.so.2 -> libutf8proc.so.3.2.3
+lib/libutf8proc.so.3.2.3
 lib/pkgconfig/
 lib/pkgconfig/libutf8proc.pc
diff --git a/Makefile b/Makefile
@@ -24,10 +24,10 @@ SOFLAG = -Wl,-soname
 # Be sure to also update these ABI versions in MANIFEST and CMakeLists.txt!
 MAJOR=3
 MINOR=2
-PATCH=2
+PATCH=3
 
 # api version (also in utf8proc.h and CMakeLists.txt)
-VERSION=2.11.2
+VERSION=2.11.3
 
 OS := $(shell uname)
 ifeq ($(OS),Darwin) # MacOS X
diff --git a/NEWS.md b/NEWS.md
@@ -1,5 +1,11 @@
 # utf8proc release history #
 
+## Version 2.11.3 ##
+
+2025-12-21
+
+- Correct out-of-bounds memory access when calling `utf8proc_map` with both `UTF8PROC_CHARBOUND` and `UTF8PROC_COMPOSE` ([#323]).
+
 ## Version 2.11.2 ##
 
 2025-11-22
diff --git a/test/fuzzer.c b/test/fuzzer.c
@@ -93,5 +93,8 @@ int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
     utf8proc_map(data, len, &str, UTF8PROC_CHARBOUND | UTF8PROC_DECOMPOSE);
     free(str);
 
+    utf8proc_map(data, len, &str, UTF8PROC_CHARBOUND | UTF8PROC_COMPOSE);
+    free(str);
+
     return 0;
 }
diff --git a/utf8proc.c b/utf8proc.c
@@ -662,6 +662,10 @@ UTF8PROC_DLLEXPORT utf8proc_ssize_t utf8proc_normalize_utf32(utf8proc_int32_t *b
     utf8proc_ssize_t wpos = 0;
     for (rpos = 0; rpos < length; rpos++) {
       utf8proc_int32_t current_char = buffer[rpos];
+      if (current_char < 0) {
+        /* skip grapheme break */
+        continue;
+      }
       const utf8proc_property_t *current_property = unsafe_get_property(current_char);
       if (starter && current_property->combining_class > max_combining_class) {
         /* combination perhaps possible */
diff --git a/utf8proc.h b/utf8proc.h
@@ -73,7 +73,7 @@
 /** The MINOR version number (increased when new functionality is added in a backwards-compatible manner). */
 #define UTF8PROC_VERSION_MINOR 11
 /** The PATCH version (increased for fixes that do not change the API). */
-#define UTF8PROC_VERSION_PATCH 2
+#define UTF8PROC_VERSION_PATCH 3
 /** @} */
 
 #include <stdlib.h>

Original file line number	Diff line number	Diff line change
`@@ -93,5 +93,8 @@ int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)`
`93`	`93`	`utf8proc_map(data, len, &str, UTF8PROC_CHARBOUND \| UTF8PROC_DECOMPOSE);`
`94`	`94`	`free(str);`
`95`	`95`
	`96`	`+ utf8proc_map(data, len, &str, UTF8PROC_CHARBOUND \| UTF8PROC_COMPOSE);`
	`97`	`+ free(str);`
	`98`	`+`
`96`	`99`	`return 0;`
`97`	`100`	`}`