From 1eb41ae34b462dda54abec756234651a2e1bc0e1 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat, 28 Mar 2015 13:24:23 +0100
Subject: [PATCH 1/2] g_utf8_to_ucs4_fast: prevent access past the end of
 string

---
 lib/nfkc.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/lib/nfkc.c b/lib/nfkc.c
index fbea0c8..b5679de 100644
--- a/lib/nfkc.c
+++ b/lib/nfkc.c
@@ -389,25 +389,36 @@ g_utf8_to_ucs4_fast (const gchar * str, glong len, glong * items_written)
   gunichar *result;
   gsize n_chars, i;
   const gchar *p;
+  glong left = len, skip;
 
   g_return_val_if_fail (str != NULL, NULL);
 
+  /* left holds the length in bytes */
+  if (left < 0) left = strlen(str);
+
   p = str;
   n_chars = 0;
   if (len < 0)
     {
       while (*p)
 	{
-	  p = g_utf8_next_char (p);
+	  skip = g_utf8_skip[*(const guchar *)(p)];
+	  left -= skip;
+	  p += skip;
 	  ++n_chars;
+	  if (left < 0)
+	    return NULL;
 	}
     }
   else
     {
       while (p < str + len && *p)
 	{
-	  p = g_utf8_next_char (p);
+	  skip = g_utf8_skip[*(const guchar *)(p)];
+	  p += skip;
 	  ++n_chars;
+	  if (left < 0)
+	    return NULL;
 	}
     }
 
-- 
2.1.4