me/guix
Archived
1
0
Fork 0
Code Activity
This repository has been archived on 2024-08-07. You can view files and clone it, but cannot push or open issues or pull requests.
guix/gnu/packages/patches/icu4c-CVE-2020-10531.patch
Leo Famulari 7d57a190f6
gnu: icu4c: Fix CVE-2020-10531. 
* gnu/packages/patches/icu4c-CVE-2020-10531.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/icu4c.scm (icu4c)[replacement]: New field.
(icu4c/fixed): New variable.
2020-03-25 17:53:59 -04:00

127 lines
4.6 KiB
Diff
Raw Blame History

Fix CVE-2020-10531:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531
Patch copied from upstream source repository (changes to the test suite
are commented out):
https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca
From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
From: Frank Tang <ftang@chromium.org>
Date: Sat, 1 Feb 2020 02:39:04 +0000
Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
See #971
---
icu4c/source/common/unistr.cpp | 6 ++-
icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++
icu4c/source/test/intltest/ustrtest.h | 1 +
3 files changed, 68 insertions(+), 1 deletion(-)
diff --git a/icu4c/source/common/unistr.cpp b/icu4c/source/common/unistr.cpp
index 901bb3358ba..077b4d6ef20 100644
--- a/icu4c/source/common/unistr.cpp
+++ b/icu4c/source/common/unistr.cpp
@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
}
int32_t oldLength = length();
- int32_t newLength = oldLength + srcLength;
+ int32_t newLength;
+ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
+ setToBogus();
+ return *this;
+ }
// Check for append onto ourself
const UChar* oldArray = getArrayStart();
#diff --git a/icu4c/source/test/intltest/ustrtest.cpp b/icu4c/source/test/intltest/ustrtest.cpp
#index b6515ea813c..ad38bdf53a3 100644
#--- a/icu4c/source/test/intltest/ustrtest.cpp
#+++ b/icu4c/source/test/intltest/ustrtest.cpp
#@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
# TESTCASE_AUTO(TestWCharPointers);
# TESTCASE_AUTO(TestNullPointers);
# TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
#+ TESTCASE_AUTO(TestLargeAppend);
# TESTCASE_AUTO_END;
# }
#
#@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
# str.insert(2, sub);
# assertEquals("", u"abbcdcde", str);
# }
#+
#+void UnicodeStringTest::TestLargeAppend() {
#+ if(quick) return;
#+
#+ IcuTestErrorCode status(*this, "TestLargeAppend");
#+ // Make a large UnicodeString
#+ int32_t len = 0xAFFFFFF;
#+ UnicodeString str;
#+ char16_t *buf = str.getBuffer(len);
#+ // A fast way to set buffer to valid Unicode.
#+ // 4E4E is a valid unicode character
#+ uprv_memset(buf, 0x4e, len * 2);
#+ str.releaseBuffer(len);
#+ UnicodeString dest;
#+ // Append it 16 times
#+ // 0xAFFFFFF times 16 is 0xA4FFFFF1,
#+ // which is greater than INT32_MAX, which is 0x7FFFFFFF.
#+ int64_t total = 0;
#+ for (int32_t i = 0; i < 16; i++) {
#+ dest.append(str);
#+ total += len;
#+ if (total <= INT32_MAX) {
#+ assertFalse("dest is not bogus", dest.isBogus());
#+ } else {
#+ assertTrue("dest should be bogus", dest.isBogus());
#+ }
#+ }
#+ dest.remove();
#+ total = 0;
#+ for (int32_t i = 0; i < 16; i++) {
#+ dest.append(str);
#+ total += len;
#+ if (total + len <= INT32_MAX) {
#+ assertFalse("dest is not bogus", dest.isBogus());
#+ } else if (total <= INT32_MAX) {
#+ // Check that a string of exactly the maximum size works
#+ UnicodeString str2;
#+ int32_t remain = INT32_MAX - total;
#+ char16_t *buf2 = str2.getBuffer(remain);
#+ if (buf2 == nullptr) {
#+ // if somehow memory allocation fail, return the test
#+ return;
#+ }
#+ uprv_memset(buf2, 0x4e, remain * 2);
#+ str2.releaseBuffer(remain);
#+ dest.append(str2);
#+ total += remain;
#+ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
#+ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
#+ assertFalse("dest is not bogus", dest.isBogus());
#+
#+ // Check that a string size+1 goes bogus
#+ str2.truncate(1);
#+ dest.append(str2);
#+ total++;
#+ assertTrue("dest should be bogus", dest.isBogus());
#+ } else {
#+ assertTrue("dest should be bogus", dest.isBogus());
#+ }
#+ }
#+}
#diff --git a/icu4c/source/test/intltest/ustrtest.h b/icu4c/source/test/intltest/ustrtest.h
#index 218befdcc68..4a356a92c7a 100644
#--- a/icu4c/source/test/intltest/ustrtest.h
#+++ b/icu4c/source/test/intltest/ustrtest.h
#@@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest {
# void TestWCharPointers();
# void TestNullPointers();
# void TestUnicodeStringInsertAppendToSelf();
#+ void TestLargeAppend();
# };
#
# #endif
View git blame Copy permalink