CVE-2015-5330: next_codepoint_handle_ext: don't short-circuit UTF16 low bytes

UTF16 contains zero bytes when it is encoding ASCII (for example), so we
can't assume the absense of the 0x80 bit means a one byte encoding. No
current callers use UTF16.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/lib/util/charset/codepoints.c b/lib/util/charset/codepoints.c
index 542eeae73a57789a982b1f759c3d0e20cf6b8ed5..19d084f3d4a59976474e550896727adea05e6191 100644 (file)
--- a/lib/util/charset/codepoints.c
+++ b/lib/util/charset/codepoints.c
@@ -331,7 +331,10 @@ _PUBLIC_ codepoint_t next_codepoint_handle_ext(
        size_t olen;
        char *outbuf;
 
-       if ((str[0] & 0x80) == 0) {
+
+       if (((str[0] & 0x80) == 0) && (src_charset == CH_DOS ||
+                                      src_charset == CH_UNIX ||
+                                      src_charset == CH_UTF8)) {
                *bytes_consumed = 1;
                return (codepoint_t)str[0];
        }