Skip to content

Commit 73f4c9a

Browse files
gitstergitster
committed
Merge branch 'bc/commit-invalid-utf8'
Logic to auto-detect character encodings in the commit log message did not reject overlong and invalid UTF-8 characters. * bc/commit-invalid-utf8: commit: reject non-characters commit: reject overlong UTF-8 sequences commit: reject invalid UTF-8 codepoints
2 parents 0d64cdf + 81050ac commit 73f4c9a

File tree

2 files changed

+68
-6
lines changed

2 files changed

+68
-6
lines changed

commit.c

Lines changed: 32 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1350,10 +1350,15 @@ int commit_tree(const struct strbuf *msg, unsigned char *tree,
13501350
static int find_invalid_utf8(const char *buf, int len)
13511351
{
13521352
int offset = 0;
1353+
static const unsigned int max_codepoint[] = {
1354+
0x7f, 0x7ff, 0xffff, 0x10ffff
1355+
};
13531356

13541357
while (len) {
13551358
unsigned char c = *buf++;
13561359
int bytes, bad_offset;
1360+
unsigned int codepoint;
1361+
unsigned int min_val, max_val;
13571362

13581363
len--;
13591364
offset++;
@@ -1374,24 +1379,48 @@ static int find_invalid_utf8(const char *buf, int len)
13741379
bytes++;
13751380
}
13761381

1377-
/* Must be between 1 and 5 more bytes */
1378-
if (bytes < 1 || bytes > 5)
1382+
/*
1383+
* Must be between 1 and 3 more bytes. Longer sequences result in
1384+
* codepoints beyond U+10FFFF, which are guaranteed never to exist.
1385+
*/
1386+
if (bytes < 1 || 3 < bytes)
13791387
return bad_offset;
13801388

13811389
/* Do we *have* that many bytes? */
13821390
if (len < bytes)
13831391
return bad_offset;
13841392

1393+
/*
1394+
* Place the encoded bits at the bottom of the value and compute the
1395+
* valid range.
1396+
*/
1397+
codepoint = (c & 0x7f) >> bytes;
1398+
min_val = max_codepoint[bytes-1] + 1;
1399+
max_val = max_codepoint[bytes];
1400+
13851401
offset += bytes;
13861402
len -= bytes;
13871403

13881404
/* And verify that they are good continuation bytes */
13891405
do {
1406+
codepoint <<= 6;
1407+
codepoint |= *buf & 0x3f;
13901408
if ((*buf++ & 0xc0) != 0x80)
13911409
return bad_offset;
13921410
} while (--bytes);
13931411

1394-
/* We could/should check the value and length here too */
1412+
/* Reject codepoints that are out of range for the sequence length. */
1413+
if (codepoint < min_val || codepoint > max_val)
1414+
return bad_offset;
1415+
/* Surrogates are only for UTF-16 and cannot be encoded in UTF-8. */
1416+
if ((codepoint & 0x1ff800) == 0xd800)
1417+
return bad_offset;
1418+
/* U+xxFFFE and U+xxFFFF are guaranteed non-characters. */
1419+
if ((codepoint & 0xffffe) == 0xfffe)
1420+
return bad_offset;
1421+
/* So are anything in the range U+FDD0..U+FDEF. */
1422+
if (codepoint >= 0xfdd0 && codepoint <= 0xfdef)
1423+
return bad_offset;
13951424
}
13961425
return -1;
13971426
}
@@ -1401,9 +1430,6 @@ static int find_invalid_utf8(const char *buf, int len)
14011430
*
14021431
* If it isn't, it assumes any non-utf8 characters are Latin1,
14031432
* and does the conversion.
1404-
*
1405-
* Fixme: we should probably also disallow overlong forms and
1406-
* invalid characters. But we don't do that currently.
14071433
*/
14081434
static int verify_utf8(struct strbuf *buf)
14091435
{

t/t3900-i18n-commit.sh

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,42 @@ test_expect_failure 'UTF-16 refused because of NULs' '
3939
git commit -a -F "$TEST_DIRECTORY"/t3900/UTF-16.txt
4040
'
4141

42+
test_expect_success 'UTF-8 invalid characters refused' '
43+
test_when_finished "rm -f $HOME/stderr $HOME/invalid" &&
44+
echo "UTF-8 characters" >F &&
45+
printf "Commit message\n\nInvalid surrogate:\355\240\200\n" \
46+
>"$HOME/invalid" &&
47+
git commit -a -F "$HOME/invalid" 2>"$HOME"/stderr &&
48+
grep "did not conform" "$HOME"/stderr
49+
'
50+
51+
test_expect_success 'UTF-8 overlong sequences rejected' '
52+
test_when_finished "rm -f $HOME/stderr $HOME/invalid" &&
53+
rm -f "$HOME/stderr" "$HOME/invalid" &&
54+
echo "UTF-8 overlong" >F &&
55+
printf "\340\202\251ommit message\n\nThis is not a space:\300\240\n" \
56+
>"$HOME/invalid" &&
57+
git commit -a -F "$HOME/invalid" 2>"$HOME"/stderr &&
58+
grep "did not conform" "$HOME"/stderr
59+
'
60+
61+
test_expect_success 'UTF-8 non-characters refused' '
62+
test_when_finished "rm -f $HOME/stderr $HOME/invalid" &&
63+
echo "UTF-8 non-character 1" >F &&
64+
printf "Commit message\n\nNon-character:\364\217\277\276\n" \
65+
>"$HOME/invalid" &&
66+
git commit -a -F "$HOME/invalid" 2>"$HOME"/stderr &&
67+
grep "did not conform" "$HOME"/stderr
68+
'
69+
70+
test_expect_success 'UTF-8 non-characters refused' '
71+
test_when_finished "rm -f $HOME/stderr $HOME/invalid" &&
72+
echo "UTF-8 non-character 2." >F &&
73+
printf "Commit message\n\nNon-character:\357\267\220\n" \
74+
>"$HOME/invalid" &&
75+
git commit -a -F "$HOME/invalid" 2>"$HOME"/stderr &&
76+
grep "did not conform" "$HOME"/stderr
77+
'
4278

4379
for H in ISO8859-1 eucJP ISO-2022-JP
4480
do

0 commit comments

Comments
 (0)