$NetBSD: patch-aq,v 1.2 2007/09/15 12:04:01 tron Exp $

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4137

--- src/codecs/qutfcodec.cpp.orig	2007-02-02 14:01:08.000000000 +0000
+++ src/codecs/qutfcodec.cpp	2007-09-15 12:12:18.000000000 +0100
@@ -154,6 +154,7 @@
 
 class QUtf8Decoder : public QTextDecoder {
     uint uc;
+    uint min_uc;
     int need;
     bool headerDone;
 public:
@@ -164,11 +165,12 @@
     QString toUnicode(const char* chars, int len)
     {
 	QString result;
-	result.setLength( len ); // worst case
+	result.setLength( len + 1 ); // worst case
 	QChar *qch = (QChar *)result.unicode();
 	uchar ch;
+        int error = -1;
 	for (int i=0; i<len; i++) {
-	    ch = *chars++;
+	    ch = chars[i];
 	    if (need) {
 		if ( (ch&0xc0) == 0x80 ) {
 		    uc = (uc << 6) | (ch & 0x3f);
@@ -182,6 +184,8 @@
 			    *qch++ = QChar(high);
 			    *qch++ = QChar(low);
 			    headerDone = TRUE;
+			} else if ((uc < min_uc) || (uc >= 0xd800 && uc <= 0xdfff) || (uc >= 0xfffe)) {
+                            *qch++ = QChar::replacement;
 			} else {
 			    if (headerDone || QChar(uc) != QChar::byteOrderMark)
 				*qch++ = uc;
@@ -190,6 +194,7 @@
 		    }
 		} else {
 		    // error
+                    i = error;
 		    *qch++ = QChar::replacement;
 		    need = 0;
 		}
@@ -200,12 +205,21 @@
 		} else if ((ch & 0xe0) == 0xc0) {
 		    uc = ch & 0x1f;
 		    need = 1;
+                    error = i;
+		    min_uc = 0x80;
 		} else if ((ch & 0xf0) == 0xe0) {
 		    uc = ch & 0x0f;
 		    need = 2;
+                    error = i;
+		    min_uc = 0x800;
 		} else if ((ch&0xf8) == 0xf0) {
 		    uc = ch & 0x07;
 		    need = 3;
+                    error = i;
+                    min_uc = 0x10000;
+                } else {
+                    // error
+                    *qch++ = QChar::replacement;
 		}
 	    }
 	}