[BZ #10093] cvs/fedora-glibc-20090424T1908

	* iconv/gconv_simple.c (BODY for UTF-8 to INTERNAL): Don't accept
	UTF-16 surrogates.

2 files changed, 8 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 35b45d825d..fd2c66a7cf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2009-04-24  Ulrich Drepper  <drepper@redhat.com>
 
+	[BZ #10093]
+	* iconv/gconv_simple.c (BODY for UTF-8 to INTERNAL): Don't accept
+	UTF-16 surrogates.
+
 	* locale/programs/locarchive.c (enlarge_archive): Conserve address
 	space when temporarily mapping the whole content of the old file.
 
diff --git a/iconv/gconv_simple.c b/iconv/gconv_simple.c
index 5cf3237abb..e34f3770ad 100644
--- a/iconv/gconv_simple.c
+++ b/iconv/gconv_simple.c
@@ -1,5 +1,5 @@
 /* Simple transformations functions.
-   Copyright (C) 1997-2005, 2007, 2008 Free Software Foundation, Inc.
+   Copyright (C) 1997-2005, 2007, 2008, 2009 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Ulrich Drepper <drepper@cygnus.com>, 1997.
 
@@ -1037,7 +1037,9 @@ ucs4le_internal_loop_single (struct __gconv_step *step,
 	/* If i < cnt, some trail byte was not >= 0x80, < 0xc0.		      \
 	   If cnt > 2 and ch < 2^(5*cnt-4), the wide character ch could	      \
 	   have been represented with fewer than cnt bytes.  */		      \
-	if (i < cnt || (cnt > 2 && (ch >> (5 * cnt - 4)) == 0))		      \
+	if (i < cnt || (cnt > 2 && (ch >> (5 * cnt - 4)) == 0)		      \
+	    /* Do not accept UTF-16 surrogates.  */			      \
+	    || (ch >= 0xd800 && ch <= 0xdfff))				      \
 	  {								      \
 	    /* This is an illegal encoding.  */				      \
 	    goto errout;						      \