From 1af40e20be48508da80ee8a5ee06a4f34351a59c Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Tue, 28 Oct 2014 13:24:44 +0000
Subject: Tighten Unicode escape name parsing. Accept only 0xXXXX, 0xYXXXX,
 0x10XXXX with Y != 0. This simplifies mchars_num2uc().

---
 chars.c  | 11 +++--------
 mandoc.c | 13 +++++++++----
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/chars.c b/chars.c
index 6c217e43..eb53d20c 100644
--- a/chars.c
+++ b/chars.c
@@ -123,14 +123,9 @@ mchars_num2uc(const char *p, size_t sz)
 {
 	int	 i;
 
-	if ((i = mandoc_strntoi(p, sz, 16)) < 0)
-		return(0xFFFD);
-
-	/*
-	 * XXX Code is missing here to exclude bogus ranges.
-	 */
-
-	return(i <= 0x10FFFF ? i : 0xFFFD);
+	i = mandoc_strntoi(p, sz, 16);
+	assert(i >= 0 && i <= 0x10FFFF);
+	return(i);
 }
 
 const char *
diff --git a/mandoc.c b/mandoc.c
index db7db0c4..f74e32a7 100644
--- a/mandoc.c
+++ b/mandoc.c
@@ -334,13 +334,18 @@ mandoc_escape(const char **end, const char **start, int *sz)
 		if (1 == *sz && 'c' == **start)
 			gly = ESCAPE_NOSPACE;
 		/*
-		 * Unicode escapes are defined in groff as \[uXXXX]
+		 * Unicode escapes are defined in groff as \[u0000]
 		 * to \[u10FFFF], where the contained value must be
 		 * a valid Unicode codepoint.  Here, however, only
-		 * check the length and the validity of all digits.
+		 * check the length and range.
 		 */
-		else if (*sz > 4 && *sz < 8 && **start == 'u' &&
-		    (int)strspn(*start + 1, "0123456789ABCDEFabcdef")
+		if (**start != 'u' || *sz < 5 || *sz > 7)
+			break;
+		if (*sz == 7 && ((*start)[1] != '1' || (*start)[2] != '0'))
+			break;
+		if (*sz == 6 && (*start)[1] == '0')
+			break;
+		if ((int)strspn(*start + 1, "0123456789ABCDEFabcdef")
 		    + 1 == *sz)
 			gly = ESCAPE_UNICODE;
 		break;
-- 
cgit