ASN1: limit the Unicode code point range in UTF8_getc() and UTF8_putc()

Since the Unicode 4.0.0 standard, the valid code point range is U+0000 to U+10FFFF. Make code points outside this range invalid when converting from/to UTF-8. Signed-off-by: Beat Bolli <dev@drbeat.li> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14185)
2025-03-31 20:10:45 +08:00 · 2021-02-14 19:27:56 +01:00 · 2021-02-14 19:27:56 +01:00 · ba64e5a92a
commit ba64e5a92a
parent 90165623a5
1 changed files with 12 additions and 63 deletions
--- a/crypto/asn1/a_utf8.c
+++ b/crypto/asn1/a_utf8.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -9,6 +9,7 @@

 #include <stdio.h>
 #include "internal/cryptlib.h"
+#include "internal/unicode.h"
 #include <openssl/asn1.h>

 /* UTF8 utilities */
@ -58,6 +59,8 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
        value |= *p++ & 0x3f;
        if (value < 0x800)
            return -4;
+        if (is_unicode_surrogate(value))
+            return -2;
        ret = 3;
    } else if ((*p & 0xf8) == 0xf0) {
        if (len < 4)
@ -73,40 +76,6 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
        if (value < 0x10000)
            return -4;
        ret = 4;
-    } else if ((*p & 0xfc) == 0xf8) {
-        if (len < 5)
-            return -1;
-        if (((p[1] & 0xc0) != 0x80)
-            || ((p[2] & 0xc0) != 0x80)
-            || ((p[3] & 0xc0) != 0x80)
-            || ((p[4] & 0xc0) != 0x80))
-            return -3;
-        value = ((unsigned long)(*p++ & 0x3)) << 24;
-        value |= ((unsigned long)(*p++ & 0x3f)) << 18;
-        value |= ((unsigned long)(*p++ & 0x3f)) << 12;
-        value |= (*p++ & 0x3f) << 6;
-        value |= *p++ & 0x3f;
-        if (value < 0x200000)
-            return -4;
-        ret = 5;
-    } else if ((*p & 0xfe) == 0xfc) {
-        if (len < 6)
-            return -1;
-        if (((p[1] & 0xc0) != 0x80)
-            || ((p[2] & 0xc0) != 0x80)
-            || ((p[3] & 0xc0) != 0x80)
-            || ((p[4] & 0xc0) != 0x80)
-            || ((p[5] & 0xc0) != 0x80))
-            return -3;
-        value = ((unsigned long)(*p++ & 0x1)) << 30;
-        value |= ((unsigned long)(*p++ & 0x3f)) << 24;
-        value |= ((unsigned long)(*p++ & 0x3f)) << 18;
-        value |= ((unsigned long)(*p++ & 0x3f)) << 12;
-        value |= (*p++ & 0x3f) << 6;
-        value |= *p++ & 0x3f;
-        if (value < 0x4000000)
-            return -4;
-        ret = 6;
    } else
        return -2;
    *val = value;
@ -116,15 +85,15 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
 /*
 * This takes a character 'value' and writes the UTF8 encoded value in 'str'
 * where 'str' is a buffer containing 'len' characters. Returns the number of
- * characters written or -1 if 'len' is too small. 'str' can be set to NULL
- * in which case it just returns the number of characters. It will need at
- * most 6 characters.
+ * characters written, -1 if 'len' is too small or -2 if 'value' is out of
+ * range. 'str' can be set to NULL in which case it just returns the number of
+ * characters. It will need at most 4 characters.
 */

 int UTF8_putc(unsigned char *str, int len, unsigned long value)
 {
    if (!str)
-        len = 6;                /* Maximum we will need */
+        len = 4;                /* Maximum we will need */
    else if (len <= 0)
        return -1;
    if (value < 0x80) {
@ -142,6 +111,8 @@ int UTF8_putc(unsigned char *str, int len, unsigned long value)
        return 2;
    }
    if (value < 0x10000) {
+        if (is_unicode_surrogate(value))
+            return -2;
        if (len < 3)
            return -1;
        if (str) {
@ -151,7 +122,7 @@ int UTF8_putc(unsigned char *str, int len, unsigned long value)
        }
        return 3;
    }
-    if (value < 0x200000) {
+    if (value < UNICODE_LIMIT) {
        if (len < 4)
            return -1;
        if (str) {
@ -162,27 +133,5 @@ int UTF8_putc(unsigned char *str, int len, unsigned long value)
        }
        return 4;
    }
-    if (value < 0x4000000) {
-        if (len < 5)
-            return -1;
-        if (str) {
-            *str++ = (unsigned char)(((value >> 24) & 0x3) | 0xf8);
-            *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80);
-            *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
-            *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
-            *str = (unsigned char)((value & 0x3f) | 0x80);
-        }
-        return 5;
-    }
-    if (len < 6)
-        return -1;
-    if (str) {
-        *str++ = (unsigned char)(((value >> 30) & 0x1) | 0xfc);
-        *str++ = (unsigned char)(((value >> 24) & 0x3f) | 0x80);
-        *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80);
-        *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
-        *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
-        *str = (unsigned char)((value & 0x3f) | 0x80);
-    }
-    return 6;
+    return -2;
 }