From 4457bb5bf106a91ed131a506269c5e09606c6f57 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Mon, 16 Mar 2020 18:00:11 -0500 Subject: system/icu: patch CVE-2020-10531 Also remove obsolete CVE-2017-7867-7868.patch - this was merged since at least 59.1 and was left over from when icu was originally pulled into the system/ tree in 2018. https://github.com/unicode-org/icu/commit/35a07bf89d64809b2e9af3cc90b53e3261677c53 --- system/icu/APKBUILD | 9 ++- system/icu/CVE-2017-7867-7868.patch | 155 ------------------------------------ system/icu/CVE-2020-10531.patch | 118 +++++++++++++++++++++++++++ 3 files changed, 125 insertions(+), 157 deletions(-) delete mode 100644 system/icu/CVE-2017-7867-7868.patch create mode 100644 system/icu/CVE-2020-10531.patch diff --git a/system/icu/APKBUILD b/system/icu/APKBUILD index 4165246a3..046698316 100644 --- a/system/icu/APKBUILD +++ b/system/icu/APKBUILD @@ -6,7 +6,7 @@ pkgver=65.1 # convert x.y.z to x_y_z _ver=$(printf '%s' "$pkgver" | tr . _) -pkgrel=0 +pkgrel=1 pkgdesc="International Components for Unicode" url="http://site.icu-project.org/" arch="all" @@ -17,6 +17,7 @@ makedepends="" subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-libs" source="https://github.com/unicode-org/icu/releases/download/release-$(printf '%s' "$pkgver" | tr . -)/${pkgname}4c-$_ver-src.tgz icu-60.2-always-use-utf8.patch + CVE-2020-10531.patch " # secfixes: @@ -27,6 +28,9 @@ source="https://github.com/unicode-org/icu/releases/download/release-$(printf '% # 58.2-r2: # - CVE-2017-7867 # - CVE-2017-7868 +# 65.1-r1: +# - CVE-2020-10531 + builddir="$srcdir"/icu/source prepare() { @@ -73,4 +77,5 @@ static() { } sha512sums="8f1ef33e1f4abc9a8ee870331c59f01b473d6da1251a19ce403f822f3e3871096f0791855d39c8f20c612fc49cda2c62c06864aa32ddab2dbd186d2b21ce9139 icu4c-65_1-src.tgz -f86c62422f38f6485c58d4766e629bab69e4b0e00fa910854e40e7db1ace299152eaefa99ae2fbab7465e65d3156cbea7124612defa60680db58ab5c34d6262f icu-60.2-always-use-utf8.patch" +f86c62422f38f6485c58d4766e629bab69e4b0e00fa910854e40e7db1ace299152eaefa99ae2fbab7465e65d3156cbea7124612defa60680db58ab5c34d6262f icu-60.2-always-use-utf8.patch +2901235a24b1973516e495473188b077eb0486714ac47f702f226a3406176e913672159978b67548a1316284ecc716e06158b05c190ddfa83ad576a7a3539d72 CVE-2020-10531.patch" diff --git a/system/icu/CVE-2017-7867-7868.patch b/system/icu/CVE-2017-7867-7868.patch deleted file mode 100644 index df18283c2..000000000 --- a/system/icu/CVE-2017-7867-7868.patch +++ /dev/null @@ -1,155 +0,0 @@ -Index: source/common/utext.cpp -=================================================================== ---- source/common/utext.cpp (revision 39670) -+++ source/common/utext.cpp (revision 39671) -@@ -848,7 +848,13 @@ - - // Chunk size. --// Must be less than 85, because of byte mapping from UChar indexes to native indexes. --// Worst case is three native bytes to one UChar. (Supplemenaries are 4 native bytes --// to two UChars.) -+// Must be less than 42 (256/6), because of byte mapping from UChar indexes to native indexes. -+// Worst case there are six UTF-8 bytes per UChar. -+// obsolete 6 byte form fd + 5 trails maps to fffd -+// obsolete 5 byte form fc + 4 trails maps to fffd -+// non-shortest 4 byte forms maps to fffd -+// normal supplementaries map to a pair of utf-16, two utf8 bytes per utf-16 unit -+// mapToUChars array size must allow for the worst case, 6. -+// This could be brought down to 4, by treating fd and fc as pure illegal, -+// rather than obsolete lead bytes. But that is not compatible with the utf-8 access macros. - // - enum { UTF8_TEXT_CHUNK_SIZE=32 }; -@@ -890,5 +896,5 @@ - // one for a supplementary starting in the last normal position, - // and one for an entry for the buffer limit position. -- uint8_t mapToUChars[UTF8_TEXT_CHUNK_SIZE*3+6]; // Map native offset from bufNativeStart to -+ uint8_t mapToUChars[UTF8_TEXT_CHUNK_SIZE*6+6]; // Map native offset from bufNativeStart to - // correspoding offset in filled part of buf. - int32_t align; -@@ -1033,4 +1039,5 @@ - u8b = (UTF8Buf *)ut->p; // the current buffer - mapIndex = ix - u8b->toUCharsMapStart; -+ U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars)); - ut->chunkOffset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx; - return TRUE; -@@ -1299,4 +1306,8 @@ - // If index is at the end, there is no character there to look at. - if (ix != ut->b) { -+ // Note: this function will only move the index back if it is on a trail byte -+ // and there is a preceding lead byte and the sequence from the lead -+ // through this trail could be part of a valid UTF-8 sequence -+ // Otherwise the index remains unchanged. - U8_SET_CP_START(s8, 0, ix); - } -@@ -1312,5 +1323,8 @@ - uint8_t *mapToNative = u8b->mapToNative; - uint8_t *mapToUChars = u8b->mapToUChars; -- int32_t toUCharsMapStart = ix - (UTF8_TEXT_CHUNK_SIZE*3 + 1); -+ int32_t toUCharsMapStart = ix - sizeof(UTF8Buf::mapToUChars) + 1; -+ // Note that toUCharsMapStart can be negative. Happens when the remaining -+ // text from current position to the beginning is less than the buffer size. -+ // + 1 because mapToUChars must have a slot at the end for the bufNativeLimit entry. - int32_t destIx = UTF8_TEXT_CHUNK_SIZE+2; // Start in the overflow region - // at end of buffer to leave room -@@ -1339,4 +1353,5 @@ - // Special case ASCII range for speed. - buf[destIx] = (UChar)c; -+ U_ASSERT(toUCharsMapStart <= srcIx); - mapToUChars[srcIx - toUCharsMapStart] = (uint8_t)destIx; - mapToNative[destIx] = (uint8_t)(srcIx - toUCharsMapStart); -@@ -1368,4 +1383,5 @@ - mapToUChars[sIx-- - toUCharsMapStart] = (uint8_t)destIx; - } while (sIx >= srcIx); -+ U_ASSERT(toUCharsMapStart <= (srcIx+1)); - - // Set native indexing limit to be the current position. -@@ -1542,4 +1558,5 @@ - U_ASSERT(index<=ut->chunkNativeLimit); - int32_t mapIndex = index - u8b->toUCharsMapStart; -+ U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars)); - int32_t offset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx; - U_ASSERT(offset>=0 && offset<=ut->chunkLength); -Index: source/test/intltest/utxttest.cpp -=================================================================== ---- source/test/intltest/utxttest.cpp (revision 39670) -+++ source/test/intltest/utxttest.cpp (revision 39671) -@@ -68,4 +68,6 @@ - case 7: name = "Ticket12130"; - if (exec) Ticket12130(); break; -+ case 8: name = "Ticket12888"; -+ if (exec) Ticket12888(); break; - default: name = ""; break; - } -@@ -1584,2 +1586,62 @@ - utext_close(&ut); - } -+ -+// Ticket 12888: bad handling of illegal utf-8 containing many instances of the archaic, now illegal, -+// six byte utf-8 forms. Original implementation had an assumption that -+// there would be at most three utf-8 bytes per UTF-16 code unit. -+// The five and six byte sequences map to a single replacement character. -+ -+void UTextTest::Ticket12888() { -+ const char *badString = -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80" -+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"; -+ -+ UErrorCode status = U_ZERO_ERROR; -+ LocalUTextPointer ut(utext_openUTF8(NULL, badString, -1, &status)); -+ TEST_SUCCESS(status); -+ for (;;) { -+ UChar32 c = utext_next32(ut.getAlias()); -+ if (c == U_SENTINEL) { -+ break; -+ } -+ } -+ int32_t endIdx = utext_getNativeIndex(ut.getAlias()); -+ if (endIdx != (int32_t)strlen(badString)) { -+ errln("%s:%d expected=%d, actual=%d", __FILE__, __LINE__, strlen(badString), endIdx); -+ return; -+ } -+ -+ for (int32_t prevIndex = endIdx; prevIndex>0;) { -+ UChar32 c = utext_previous32(ut.getAlias()); -+ int32_t currentIndex = utext_getNativeIndex(ut.getAlias()); -+ if (c != 0xfffd) { -+ errln("%s:%d (expected, actual, index) = (%d, %d, %d)\n", -+ __FILE__, __LINE__, 0xfffd, c, currentIndex); -+ break; -+ } -+ if (currentIndex != prevIndex - 6) { -+ errln("%s:%d: wrong index. Expected, actual = %d, %d", -+ __FILE__, __LINE__, prevIndex - 6, currentIndex); -+ break; -+ } -+ prevIndex = currentIndex; -+ } -+} -Index: source/test/intltest/utxttest.h -=================================================================== ---- source/test/intltest/utxttest.h (revision 39670) -+++ source/test/intltest/utxttest.h (revision 39671) -@@ -39,4 +39,5 @@ - void Ticket10983(); - void Ticket12130(); -+ void Ticket12888(); - - private: diff --git a/system/icu/CVE-2020-10531.patch b/system/icu/CVE-2020-10531.patch new file mode 100644 index 000000000..f456b06ec --- /dev/null +++ b/system/icu/CVE-2020-10531.patch @@ -0,0 +1,118 @@ +From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001 +From: Frank Tang +Date: Sat, 1 Feb 2020 02:39:04 +0000 +Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append + +See #971 +--- + source/common/unistr.cpp | 6 ++- + source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++ + source/test/intltest/ustrtest.h | 1 + + 3 files changed, 68 insertions(+), 1 deletion(-) + +diff --git source/common/unistr.cpp source/common/unistr.cpp +index 901bb3358ba..077b4d6ef20 100644 +--- source/common/unistr.cpp ++++ source/common/unistr.cpp +@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng + } + + int32_t oldLength = length(); +- int32_t newLength = oldLength + srcLength; ++ int32_t newLength; ++ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) { ++ setToBogus(); ++ return *this; ++ } + + // Check for append onto ourself + const UChar* oldArray = getArrayStart(); +diff --git source/test/intltest/ustrtest.cpp source/test/intltest/ustrtest.cpp +index b6515ea813c..ad38bdf53a3 100644 +--- source/test/intltest/ustrtest.cpp ++++ source/test/intltest/ustrtest.cpp +@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* & + TESTCASE_AUTO(TestWCharPointers); + TESTCASE_AUTO(TestNullPointers); + TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf); ++ TESTCASE_AUTO(TestLargeAppend); + TESTCASE_AUTO_END; + } + +@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() { + str.insert(2, sub); + assertEquals("", u"abbcdcde", str); + } ++ ++void UnicodeStringTest::TestLargeAppend() { ++ if(quick) return; ++ ++ IcuTestErrorCode status(*this, "TestLargeAppend"); ++ // Make a large UnicodeString ++ int32_t len = 0xAFFFFFF; ++ UnicodeString str; ++ char16_t *buf = str.getBuffer(len); ++ // A fast way to set buffer to valid Unicode. ++ // 4E4E is a valid unicode character ++ uprv_memset(buf, 0x4e, len * 2); ++ str.releaseBuffer(len); ++ UnicodeString dest; ++ // Append it 16 times ++ // 0xAFFFFFF times 16 is 0xA4FFFFF1, ++ // which is greater than INT32_MAX, which is 0x7FFFFFFF. ++ int64_t total = 0; ++ for (int32_t i = 0; i < 16; i++) { ++ dest.append(str); ++ total += len; ++ if (total <= INT32_MAX) { ++ assertFalse("dest is not bogus", dest.isBogus()); ++ } else { ++ assertTrue("dest should be bogus", dest.isBogus()); ++ } ++ } ++ dest.remove(); ++ total = 0; ++ for (int32_t i = 0; i < 16; i++) { ++ dest.append(str); ++ total += len; ++ if (total + len <= INT32_MAX) { ++ assertFalse("dest is not bogus", dest.isBogus()); ++ } else if (total <= INT32_MAX) { ++ // Check that a string of exactly the maximum size works ++ UnicodeString str2; ++ int32_t remain = INT32_MAX - total; ++ char16_t *buf2 = str2.getBuffer(remain); ++ if (buf2 == nullptr) { ++ // if somehow memory allocation fail, return the test ++ return; ++ } ++ uprv_memset(buf2, 0x4e, remain * 2); ++ str2.releaseBuffer(remain); ++ dest.append(str2); ++ total += remain; ++ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total); ++ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length()); ++ assertFalse("dest is not bogus", dest.isBogus()); ++ ++ // Check that a string size+1 goes bogus ++ str2.truncate(1); ++ dest.append(str2); ++ total++; ++ assertTrue("dest should be bogus", dest.isBogus()); ++ } else { ++ assertTrue("dest should be bogus", dest.isBogus()); ++ } ++ } ++} +diff --git source/test/intltest/ustrtest.h source/test/intltest/ustrtest.h +index 218befdcc68..4a356a92c7a 100644 +--- source/test/intltest/ustrtest.h ++++ source/test/intltest/ustrtest.h +@@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest { + void TestWCharPointers(); + void TestNullPointers(); + void TestUnicodeStringInsertAppendToSelf(); ++ void TestLargeAppend(); + }; + + #endif -- cgit v1.2.3-70-g09d2