Security fix:

[mandoc.git] / chars.c

diff --git a/chars.c b/chars.c
index baa560034ff97e37fa4437873b0eb16ba7e68180..d758d0ccbd1bd6d0a219b635ffc9e53f2a35e3dc 100644 (file)
--- a/chars.c
+++ b/chars.c
@@ -1,4 +1,4 @@
-/*     $Id: chars.c,v 1.57 2014/04/20 16:46:04 schwarze Exp $ */
+/*     $Id: chars.c,v 1.58 2014/07/23 15:00:08 schwarze Exp $ */
 /*
  * Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011 Ingo Schwarze <schwarze@openbsd.org>
@@ -127,7 +127,18 @@ mchars_num2uc(const char *p, size_t sz)
 
        if ((i = mandoc_strntoi(p, sz, 16)) < 0)
                return('\0');
-       /* FIXME: make sure we're not in a bogus range. */
+
+       /*
+        * Security warning:
+        * Never extend the range of accepted characters
+        * to overlap with the ASCII range, 0x00-0x7F
+        * without re-auditing the callers of this function.
+        * Some callers might relay on the fact that we never
+        * return ASCII characters for their escaping decisions.
+        *
+        * XXX Code is missing here to exclude bogus ranges.
+        */
+
        return(i > 0x80 && i <= 0x10FFFF ? i : '\0');
 }