Re: infinite loop bug in libidn (pr29_4)

From: Simon Josefsson
Subject: Re: infinite loop bug in libidn (pr29_4)
Date: Sun, 08 Jan 2012 23:31:52 +0100
Date: Sun, 08 Jan 2012 23:31:52 +0100

Simon Josefsson <address@hidden> writes:

> Jon Nelson <address@hidden> writes:
>> On or around line 1260 of lib/pr29.c, in the pr29_4 function.
>>   for (i = 0; i < len; i++)
>>     if ((row = first_column (in[i])) > 0)
>>       for (j = i + 1; j < len; j++)
>>     if (combinationclass (in[j]))
>>       for (k = j + 1; k < len; j++)
>>         if (in_last_column_row (in[k], row))
>>           return PR29_PROBLEM;
>> The infinite loop occurs when the character is present in
>> combinationclass but the following character is *not* in
>> in_last_column_row.
>> I believe the "k" loop should be incrementing *k* not *j*.
> Thanks for the report, Jon.  Do you have any example input strings that
> trigger this?  I'm sure I can work it out, but if you have them it would
> speed things up.

I was able to reproduce the bug using the string U+1100 U+0300 U+4711.
I agree with your fix, although there may be more problems with that
code.  I'm working on it.


