From 7bb2a4671503c41d63989dcef9ef54dea0c73b43 Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Thu, 7 Apr 2016 06:42:55 +0900
Subject: Fix segfault on bogus text

Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820162
---
 libwc/ucs.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'libwc/ucs.c')

diff --git a/libwc/ucs.c b/libwc/ucs.c
index 5e78b4e..727e574 100644
--- a/libwc/ucs.c
+++ b/libwc/ucs.c
@@ -109,6 +109,7 @@ wc_any_to_ucs(wc_wchar_t cc)
 {
     int f;
     wc_uint16 *map = NULL;
+    wc_uint32 map_size = 0x80;
     wc_map *map2;
 
     f = WC_CCS_INDEX(cc.ccs);
@@ -139,6 +140,7 @@ wc_any_to_ucs(wc_wchar_t cc)
 	if (f < WC_F_ISO_BASE || f > WC_F_CS94W_END)
 	    return 0;
 	map = cs94w_ucs_map[f - WC_F_ISO_BASE];
+	map_size = cs94w_ucs_map_size[f - WC_F_ISO_BASE];
 	cc.code = WC_CS94W_N(cc.code);
 	break;
     case WC_CCS_A_CS96:
@@ -151,6 +153,7 @@ wc_any_to_ucs(wc_wchar_t cc)
 	if (f < WC_F_ISO_BASE || f > WC_F_CS96W_END)
 	    return WC_C_UCS4_ERROR;
 	map = cs96w_ucs_map[f - WC_F_ISO_BASE];
+	map_size = cs96w_ucs_map_size[f - WC_F_ISO_BASE];
 	cc.code = WC_CS96W_N(cc.code);
 	break;
     case WC_CCS_A_CS942:
@@ -181,6 +184,7 @@ wc_any_to_ucs(wc_wchar_t cc)
 	if (f < WC_F_PCS_BASE || f > WC_F_PCSW_END)
 	    return WC_C_UCS4_ERROR;
 	map = pcsw_ucs_map[f - WC_F_PCS_BASE];
+	map_size = pcsw_ucs_map_size[f - WC_F_PCS_BASE];
 	switch (cc.ccs) {
 	case WC_CCS_BIG5:
 	    cc.code = WC_BIG5_N(cc.code);
@@ -272,6 +276,8 @@ wc_any_to_ucs(wc_wchar_t cc)
     }
     if (map == NULL)
 	return WC_C_UCS4_ERROR;
+    if (map_size == 0 || cc.code > map_size - 1)
+	return WC_C_UCS4_ERROR;
     cc.code = map[cc.code];
     return cc.code ? cc.code : WC_C_UCS4_ERROR;
 }
-- 
cgit v1.2.3