Index: src/OFString.m
==================================================================
--- src/OFString.m
+++ src/OFString.m
@@ -129,11 +129,10 @@
 }
 
 ssize_t
 of_string_utf8_decode(const char *buffer_, size_t length, of_unichar_t *ret)
 {
-	/* FIXME: Check if the following bytes are indeed surrogates */
 	const uint8_t *buffer = (const uint8_t*)buffer_;
 
 	if (!(*buffer & 0x80)) {
 		*ret = buffer[0];
 		return 1;
@@ -140,27 +139,38 @@
 	}
 
 	if ((*buffer & 0xE0) == 0xC0) {
 		if OF_UNLIKELY (length < 2)
 			return -2;
+
+		if OF_UNLIKELY ((buffer[1] & 0xC0) != 0x80)
+			return 0;
 
 		*ret = ((buffer[0] & 0x1F) << 6) | (buffer[1] & 0x3F);
 		return 2;
 	}
 
 	if ((*buffer & 0xF0) == 0xE0) {
 		if OF_UNLIKELY (length < 3)
 			return -3;
+
+		if OF_UNLIKELY ((buffer[1] & 0xC0) != 0x80 ||
+		    (buffer[2] & 0xC0) != 0x80)
+			return 0;
 
 		*ret = ((buffer[0] & 0x0F) << 12) | ((buffer[1] & 0x3F) << 6) |
 		    (buffer[2] & 0x3F);
 		return 3;
 	}
 
 	if ((*buffer & 0xF8) == 0xF0) {
 		if OF_UNLIKELY (length < 4)
 			return -4;
+
+		if OF_UNLIKELY ((buffer[1] & 0xC0) != 0x80 ||
+		    (buffer[2] & 0xC0) != 0x80 || (buffer[3] & 0xC0) != 0x80)
+			return 0;
 
 		*ret = ((buffer[0] & 0x07) << 18) | ((buffer[1] & 0x3F) << 12) |
 		    ((buffer[2] & 0x3F) << 6) | (buffer[3] & 0x3F);
 		return 4;
 	}