From 4457bb5bf106a91ed131a506269c5e09606c6f57 Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Mon, 16 Mar 2020 18:00:11 -0500
Subject: system/icu: patch CVE-2020-10531
Also remove obsolete CVE-2017-7867-7868.patch - this was merged since at
least 59.1 and was left over from when icu was originally pulled into the
system/ tree in 2018.
https://github.com/unicode-org/icu/commit/35a07bf89d64809b2e9af3cc90b53e3261677c53
---
system/icu/APKBUILD | 9 ++-
system/icu/CVE-2017-7867-7868.patch | 155 ------------------------------------
system/icu/CVE-2020-10531.patch | 118 +++++++++++++++++++++++++++
3 files changed, 125 insertions(+), 157 deletions(-)
delete mode 100644 system/icu/CVE-2017-7867-7868.patch
create mode 100644 system/icu/CVE-2020-10531.patch
(limited to 'system')
diff --git a/system/icu/APKBUILD b/system/icu/APKBUILD
index 4165246a3..046698316 100644
--- a/system/icu/APKBUILD
+++ b/system/icu/APKBUILD
@@ -6,7 +6,7 @@ pkgver=65.1
# convert x.y.z to x_y_z
_ver=$(printf '%s' "$pkgver" | tr . _)
-pkgrel=0
+pkgrel=1
pkgdesc="International Components for Unicode"
url="http://site.icu-project.org/"
arch="all"
@@ -17,6 +17,7 @@ makedepends=""
subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-libs"
source="https://github.com/unicode-org/icu/releases/download/release-$(printf '%s' "$pkgver" | tr . -)/${pkgname}4c-$_ver-src.tgz
icu-60.2-always-use-utf8.patch
+ CVE-2020-10531.patch
"
# secfixes:
@@ -27,6 +28,9 @@ source="https://github.com/unicode-org/icu/releases/download/release-$(printf '%
# 58.2-r2:
# - CVE-2017-7867
# - CVE-2017-7868
+# 65.1-r1:
+# - CVE-2020-10531
+
builddir="$srcdir"/icu/source
prepare() {
@@ -73,4 +77,5 @@ static() {
}
sha512sums="8f1ef33e1f4abc9a8ee870331c59f01b473d6da1251a19ce403f822f3e3871096f0791855d39c8f20c612fc49cda2c62c06864aa32ddab2dbd186d2b21ce9139 icu4c-65_1-src.tgz
-f86c62422f38f6485c58d4766e629bab69e4b0e00fa910854e40e7db1ace299152eaefa99ae2fbab7465e65d3156cbea7124612defa60680db58ab5c34d6262f icu-60.2-always-use-utf8.patch"
+f86c62422f38f6485c58d4766e629bab69e4b0e00fa910854e40e7db1ace299152eaefa99ae2fbab7465e65d3156cbea7124612defa60680db58ab5c34d6262f icu-60.2-always-use-utf8.patch
+2901235a24b1973516e495473188b077eb0486714ac47f702f226a3406176e913672159978b67548a1316284ecc716e06158b05c190ddfa83ad576a7a3539d72 CVE-2020-10531.patch"
diff --git a/system/icu/CVE-2017-7867-7868.patch b/system/icu/CVE-2017-7867-7868.patch
deleted file mode 100644
index df18283c2..000000000
--- a/system/icu/CVE-2017-7867-7868.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-Index: source/common/utext.cpp
-===================================================================
---- source/common/utext.cpp (revision 39670)
-+++ source/common/utext.cpp (revision 39671)
-@@ -848,7 +848,13 @@
-
- // Chunk size.
--// Must be less than 85, because of byte mapping from UChar indexes to native indexes.
--// Worst case is three native bytes to one UChar. (Supplemenaries are 4 native bytes
--// to two UChars.)
-+// Must be less than 42 (256/6), because of byte mapping from UChar indexes to native indexes.
-+// Worst case there are six UTF-8 bytes per UChar.
-+// obsolete 6 byte form fd + 5 trails maps to fffd
-+// obsolete 5 byte form fc + 4 trails maps to fffd
-+// non-shortest 4 byte forms maps to fffd
-+// normal supplementaries map to a pair of utf-16, two utf8 bytes per utf-16 unit
-+// mapToUChars array size must allow for the worst case, 6.
-+// This could be brought down to 4, by treating fd and fc as pure illegal,
-+// rather than obsolete lead bytes. But that is not compatible with the utf-8 access macros.
- //
- enum { UTF8_TEXT_CHUNK_SIZE=32 };
-@@ -890,5 +896,5 @@
- // one for a supplementary starting in the last normal position,
- // and one for an entry for the buffer limit position.
-- uint8_t mapToUChars[UTF8_TEXT_CHUNK_SIZE*3+6]; // Map native offset from bufNativeStart to
-+ uint8_t mapToUChars[UTF8_TEXT_CHUNK_SIZE*6+6]; // Map native offset from bufNativeStart to
- // correspoding offset in filled part of buf.
- int32_t align;
-@@ -1033,4 +1039,5 @@
- u8b = (UTF8Buf *)ut->p; // the current buffer
- mapIndex = ix - u8b->toUCharsMapStart;
-+ U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars));
- ut->chunkOffset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
- return TRUE;
-@@ -1299,4 +1306,8 @@
- // If index is at the end, there is no character there to look at.
- if (ix != ut->b) {
-+ // Note: this function will only move the index back if it is on a trail byte
-+ // and there is a preceding lead byte and the sequence from the lead
-+ // through this trail could be part of a valid UTF-8 sequence
-+ // Otherwise the index remains unchanged.
- U8_SET_CP_START(s8, 0, ix);
- }
-@@ -1312,5 +1323,8 @@
- uint8_t *mapToNative = u8b->mapToNative;
- uint8_t *mapToUChars = u8b->mapToUChars;
-- int32_t toUCharsMapStart = ix - (UTF8_TEXT_CHUNK_SIZE*3 + 1);
-+ int32_t toUCharsMapStart = ix - sizeof(UTF8Buf::mapToUChars) + 1;
-+ // Note that toUCharsMapStart can be negative. Happens when the remaining
-+ // text from current position to the beginning is less than the buffer size.
-+ // + 1 because mapToUChars must have a slot at the end for the bufNativeLimit entry.
- int32_t destIx = UTF8_TEXT_CHUNK_SIZE+2; // Start in the overflow region
- // at end of buffer to leave room
-@@ -1339,4 +1353,5 @@
- // Special case ASCII range for speed.
- buf[destIx] = (UChar)c;
-+ U_ASSERT(toUCharsMapStart <= srcIx);
- mapToUChars[srcIx - toUCharsMapStart] = (uint8_t)destIx;
- mapToNative[destIx] = (uint8_t)(srcIx - toUCharsMapStart);
-@@ -1368,4 +1383,5 @@
- mapToUChars[sIx-- - toUCharsMapStart] = (uint8_t)destIx;
- } while (sIx >= srcIx);
-+ U_ASSERT(toUCharsMapStart <= (srcIx+1));
-
- // Set native indexing limit to be the current position.
-@@ -1542,4 +1558,5 @@
- U_ASSERT(index<=ut->chunkNativeLimit);
- int32_t mapIndex = index - u8b->toUCharsMapStart;
-+ U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars));
- int32_t offset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
- U_ASSERT(offset>=0 && offset<=ut->chunkLength);
-Index: source/test/intltest/utxttest.cpp
-===================================================================
---- source/test/intltest/utxttest.cpp (revision 39670)
-+++ source/test/intltest/utxttest.cpp (revision 39671)
-@@ -68,4 +68,6 @@
- case 7: name = "Ticket12130";
- if (exec) Ticket12130(); break;
-+ case 8: name = "Ticket12888";
-+ if (exec) Ticket12888(); break;
- default: name = ""; break;
- }
-@@ -1584,2 +1586,62 @@
- utext_close(&ut);
- }
-+
-+// Ticket 12888: bad handling of illegal utf-8 containing many instances of the archaic, now illegal,
-+// six byte utf-8 forms. Original implementation had an assumption that
-+// there would be at most three utf-8 bytes per UTF-16 code unit.
-+// The five and six byte sequences map to a single replacement character.
-+
-+void UTextTest::Ticket12888() {
-+ const char *badString =
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80";
-+
-+ UErrorCode status = U_ZERO_ERROR;
-+ LocalUTextPointer ut(utext_openUTF8(NULL, badString, -1, &status));
-+ TEST_SUCCESS(status);
-+ for (;;) {
-+ UChar32 c = utext_next32(ut.getAlias());
-+ if (c == U_SENTINEL) {
-+ break;
-+ }
-+ }
-+ int32_t endIdx = utext_getNativeIndex(ut.getAlias());
-+ if (endIdx != (int32_t)strlen(badString)) {
-+ errln("%s:%d expected=%d, actual=%d", __FILE__, __LINE__, strlen(badString), endIdx);
-+ return;
-+ }
-+
-+ for (int32_t prevIndex = endIdx; prevIndex>0;) {
-+ UChar32 c = utext_previous32(ut.getAlias());
-+ int32_t currentIndex = utext_getNativeIndex(ut.getAlias());
-+ if (c != 0xfffd) {
-+ errln("%s:%d (expected, actual, index) = (%d, %d, %d)\n",
-+ __FILE__, __LINE__, 0xfffd, c, currentIndex);
-+ break;
-+ }
-+ if (currentIndex != prevIndex - 6) {
-+ errln("%s:%d: wrong index. Expected, actual = %d, %d",
-+ __FILE__, __LINE__, prevIndex - 6, currentIndex);
-+ break;
-+ }
-+ prevIndex = currentIndex;
-+ }
-+}
-Index: source/test/intltest/utxttest.h
-===================================================================
---- source/test/intltest/utxttest.h (revision 39670)
-+++ source/test/intltest/utxttest.h (revision 39671)
-@@ -39,4 +39,5 @@
- void Ticket10983();
- void Ticket12130();
-+ void Ticket12888();
-
- private:
diff --git a/system/icu/CVE-2020-10531.patch b/system/icu/CVE-2020-10531.patch
new file mode 100644
index 000000000..f456b06ec
--- /dev/null
+++ b/system/icu/CVE-2020-10531.patch
@@ -0,0 +1,118 @@
+From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Sat, 1 Feb 2020 02:39:04 +0000
+Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
+
+See #971
+---
+ source/common/unistr.cpp | 6 ++-
+ source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++
+ source/test/intltest/ustrtest.h | 1 +
+ 3 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git source/common/unistr.cpp source/common/unistr.cpp
+index 901bb3358ba..077b4d6ef20 100644
+--- source/common/unistr.cpp
++++ source/common/unistr.cpp
+@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+ }
+
+ int32_t oldLength = length();
+- int32_t newLength = oldLength + srcLength;
++ int32_t newLength;
++ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
++ setToBogus();
++ return *this;
++ }
+
+ // Check for append onto ourself
+ const UChar* oldArray = getArrayStart();
+diff --git source/test/intltest/ustrtest.cpp source/test/intltest/ustrtest.cpp
+index b6515ea813c..ad38bdf53a3 100644
+--- source/test/intltest/ustrtest.cpp
++++ source/test/intltest/ustrtest.cpp
+@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
+ TESTCASE_AUTO(TestWCharPointers);
+ TESTCASE_AUTO(TestNullPointers);
+ TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
++ TESTCASE_AUTO(TestLargeAppend);
+ TESTCASE_AUTO_END;
+ }
+
+@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
+ str.insert(2, sub);
+ assertEquals("", u"abbcdcde", str);
+ }
++
++void UnicodeStringTest::TestLargeAppend() {
++ if(quick) return;
++
++ IcuTestErrorCode status(*this, "TestLargeAppend");
++ // Make a large UnicodeString
++ int32_t len = 0xAFFFFFF;
++ UnicodeString str;
++ char16_t *buf = str.getBuffer(len);
++ // A fast way to set buffer to valid Unicode.
++ // 4E4E is a valid unicode character
++ uprv_memset(buf, 0x4e, len * 2);
++ str.releaseBuffer(len);
++ UnicodeString dest;
++ // Append it 16 times
++ // 0xAFFFFFF times 16 is 0xA4FFFFF1,
++ // which is greater than INT32_MAX, which is 0x7FFFFFFF.
++ int64_t total = 0;
++ for (int32_t i = 0; i < 16; i++) {
++ dest.append(str);
++ total += len;
++ if (total <= INT32_MAX) {
++ assertFalse("dest is not bogus", dest.isBogus());
++ } else {
++ assertTrue("dest should be bogus", dest.isBogus());
++ }
++ }
++ dest.remove();
++ total = 0;
++ for (int32_t i = 0; i < 16; i++) {
++ dest.append(str);
++ total += len;
++ if (total + len <= INT32_MAX) {
++ assertFalse("dest is not bogus", dest.isBogus());
++ } else if (total <= INT32_MAX) {
++ // Check that a string of exactly the maximum size works
++ UnicodeString str2;
++ int32_t remain = INT32_MAX - total;
++ char16_t *buf2 = str2.getBuffer(remain);
++ if (buf2 == nullptr) {
++ // if somehow memory allocation fail, return the test
++ return;
++ }
++ uprv_memset(buf2, 0x4e, remain * 2);
++ str2.releaseBuffer(remain);
++ dest.append(str2);
++ total += remain;
++ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
++ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
++ assertFalse("dest is not bogus", dest.isBogus());
++
++ // Check that a string size+1 goes bogus
++ str2.truncate(1);
++ dest.append(str2);
++ total++;
++ assertTrue("dest should be bogus", dest.isBogus());
++ } else {
++ assertTrue("dest should be bogus", dest.isBogus());
++ }
++ }
++}
+diff --git source/test/intltest/ustrtest.h source/test/intltest/ustrtest.h
+index 218befdcc68..4a356a92c7a 100644
+--- source/test/intltest/ustrtest.h
++++ source/test/intltest/ustrtest.h
+@@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest {
+ void TestWCharPointers();
+ void TestNullPointers();
+ void TestUnicodeStringInsertAppendToSelf();
++ void TestLargeAppend();
+ };
+
+ #endif
--
cgit v1.2.3-70-g09d2