From bd4d04075fa126552b31cd11aaa50dad72119e6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Fri, 6 Jul 2018 13:05:56 +0200
Subject: [PATCH 2/3] Check codepoint validity in punycode_decode() and
 punycode_decode()

These functions were able to generate invalid unicode values resp.
invalid punycode. This is undocumented/unexpected behavior that can
lead to security vulns.

Reported-by: Mike Schiffman (Farsight Security, Inc.)
---
 lib/punycode.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/punycode.c b/lib/punycode.c
index d475b6d..f7c63e6 100644
--- a/lib/punycode.c
+++ b/lib/punycode.c
@@ -228,6 +228,8 @@ punycode_encode (size_t input_length,
 	  output[out++] = case_flags ?
 	    encode_basic (input[j], case_flags[j]) : (char) input[j];
 	}
+      else if (input[j] > 0x10FFFF)
+	return punycode_bad_input;
       /* else if (input[j] < n) return punycode_bad_input; */
       /* (not needed for Punycode with unsigned code points) */
     }
@@ -418,6 +420,8 @@ punycode_decode (size_t input_length,
       if (i / (out + 1) > maxint - n)
 	return punycode_overflow;
       n += i / (out + 1);
+      if (n > 0x10FFFF)
+	return punycode_bad_input;
       i %= (out + 1);
 
       /* Insert n at position i of the output: */
-- 
1.8.3.1