From f07626d0297ed6bd21623409e1ea1ae1138d23a8 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Tue, 24 Nov 2015 13:54:09 +1300
Subject: [PATCH] CVE-2015-5330: next_codepoint_handle_ext: don't short-circuit
 UTF16 low bytes

UTF16 contains zero bytes when it is encoding ASCII (for example), so we
can't assume the absense of the 0x80 bit means a one byte encoding. No
current callers use UTF16.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 lib/util/charset/codepoints.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/util/charset/codepoints.c b/lib/util/charset/codepoints.c
index 542eeae73a5..19d084f3d4a 100644
--- a/lib/util/charset/codepoints.c
+++ b/lib/util/charset/codepoints.c
@@ -331,7 +331,10 @@ _PUBLIC_ codepoint_t next_codepoint_handle_ext(
 	size_t olen;
 	char *outbuf;
 
-	if ((str[0] & 0x80) == 0) {
+
+	if (((str[0] & 0x80) == 0) && (src_charset == CH_DOS ||
+				       src_charset == CH_UNIX ||
+				       src_charset == CH_UTF8)) {
 		*bytes_consumed = 1;
 		return (codepoint_t)str[0];
 	}
-- 
2.34.1