summaryrefslogtreecommitdiff
path: root/system/icu/CVE-2020-10531.patch
diff options
context:
space:
mode:
authorMax Rees <maxcrees@me.com>2020-03-16 18:00:11 -0500
committerMax Rees <maxcrees@me.com>2020-03-19 22:21:21 -0500
commit4457bb5bf106a91ed131a506269c5e09606c6f57 (patch)
treeba33c63526cb0c365b748ecde9247b29cb387bbd /system/icu/CVE-2020-10531.patch
parent3e7d2c3bb270b56c4b30a5e580146c7a87cd9bf4 (diff)
downloadpackages-4457bb5bf106a91ed131a506269c5e09606c6f57.tar.gz
packages-4457bb5bf106a91ed131a506269c5e09606c6f57.tar.bz2
packages-4457bb5bf106a91ed131a506269c5e09606c6f57.tar.xz
packages-4457bb5bf106a91ed131a506269c5e09606c6f57.zip
system/icu: patch CVE-2020-10531
Also remove obsolete CVE-2017-7867-7868.patch - this was merged since at least 59.1 and was left over from when icu was originally pulled into the system/ tree in 2018. https://github.com/unicode-org/icu/commit/35a07bf89d64809b2e9af3cc90b53e3261677c53
Diffstat (limited to 'system/icu/CVE-2020-10531.patch')
-rw-r--r--system/icu/CVE-2020-10531.patch118
1 files changed, 118 insertions, 0 deletions
diff --git a/system/icu/CVE-2020-10531.patch b/system/icu/CVE-2020-10531.patch
new file mode 100644
index 000000000..f456b06ec
--- /dev/null
+++ b/system/icu/CVE-2020-10531.patch
@@ -0,0 +1,118 @@
+From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Sat, 1 Feb 2020 02:39:04 +0000
+Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
+
+See #971
+---
+ source/common/unistr.cpp | 6 ++-
+ source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++
+ source/test/intltest/ustrtest.h | 1 +
+ 3 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git source/common/unistr.cpp source/common/unistr.cpp
+index 901bb3358ba..077b4d6ef20 100644
+--- source/common/unistr.cpp
++++ source/common/unistr.cpp
+@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+ }
+
+ int32_t oldLength = length();
+- int32_t newLength = oldLength + srcLength;
++ int32_t newLength;
++ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
++ setToBogus();
++ return *this;
++ }
+
+ // Check for append onto ourself
+ const UChar* oldArray = getArrayStart();
+diff --git source/test/intltest/ustrtest.cpp source/test/intltest/ustrtest.cpp
+index b6515ea813c..ad38bdf53a3 100644
+--- source/test/intltest/ustrtest.cpp
++++ source/test/intltest/ustrtest.cpp
+@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
+ TESTCASE_AUTO(TestWCharPointers);
+ TESTCASE_AUTO(TestNullPointers);
+ TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
++ TESTCASE_AUTO(TestLargeAppend);
+ TESTCASE_AUTO_END;
+ }
+
+@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
+ str.insert(2, sub);
+ assertEquals("", u"abbcdcde", str);
+ }
++
++void UnicodeStringTest::TestLargeAppend() {
++ if(quick) return;
++
++ IcuTestErrorCode status(*this, "TestLargeAppend");
++ // Make a large UnicodeString
++ int32_t len = 0xAFFFFFF;
++ UnicodeString str;
++ char16_t *buf = str.getBuffer(len);
++ // A fast way to set buffer to valid Unicode.
++ // 4E4E is a valid unicode character
++ uprv_memset(buf, 0x4e, len * 2);
++ str.releaseBuffer(len);
++ UnicodeString dest;
++ // Append it 16 times
++ // 0xAFFFFFF times 16 is 0xA4FFFFF1,
++ // which is greater than INT32_MAX, which is 0x7FFFFFFF.
++ int64_t total = 0;
++ for (int32_t i = 0; i < 16; i++) {
++ dest.append(str);
++ total += len;
++ if (total <= INT32_MAX) {
++ assertFalse("dest is not bogus", dest.isBogus());
++ } else {
++ assertTrue("dest should be bogus", dest.isBogus());
++ }
++ }
++ dest.remove();
++ total = 0;
++ for (int32_t i = 0; i < 16; i++) {
++ dest.append(str);
++ total += len;
++ if (total + len <= INT32_MAX) {
++ assertFalse("dest is not bogus", dest.isBogus());
++ } else if (total <= INT32_MAX) {
++ // Check that a string of exactly the maximum size works
++ UnicodeString str2;
++ int32_t remain = INT32_MAX - total;
++ char16_t *buf2 = str2.getBuffer(remain);
++ if (buf2 == nullptr) {
++ // if somehow memory allocation fail, return the test
++ return;
++ }
++ uprv_memset(buf2, 0x4e, remain * 2);
++ str2.releaseBuffer(remain);
++ dest.append(str2);
++ total += remain;
++ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
++ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
++ assertFalse("dest is not bogus", dest.isBogus());
++
++ // Check that a string size+1 goes bogus
++ str2.truncate(1);
++ dest.append(str2);
++ total++;
++ assertTrue("dest should be bogus", dest.isBogus());
++ } else {
++ assertTrue("dest should be bogus", dest.isBogus());
++ }
++ }
++}
+diff --git source/test/intltest/ustrtest.h source/test/intltest/ustrtest.h
+index 218befdcc68..4a356a92c7a 100644
+--- source/test/intltest/ustrtest.h
++++ source/test/intltest/ustrtest.h
+@@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest {
+ void TestWCharPointers();
+ void TestNullPointers();
+ void TestUnicodeStringInsertAppendToSelf();
++ void TestLargeAppend();
+ };
+
+ #endif