diff options
| author | Leo <thinkabit.ukim@gmail.com> | 2020-03-24 09:32:19 -0300 |
|---|---|---|
| committer | Leo <thinkabit.ukim@gmail.com> | 2020-03-25 14:42:08 +0000 |
| commit | 2add2c07ac039ce197ac8af365651947051ca02f (patch) | |
| tree | 1e25a5039bea122448b5b4ca48db9848dee40b9c | |
| parent | 069a7f047dd996c5b0e330ad776b0a354664ab4a (diff) | |
main/icu: fix CVE-2020-10531
see #11329
| -rw-r--r-- | main/icu/APKBUILD | 8 | ||||
| -rw-r--r-- | main/icu/CVE-2020-10531.patch | 106 |
2 files changed, 112 insertions, 2 deletions
diff --git a/main/icu/APKBUILD b/main/icu/APKBUILD index 36bbca017f2..c218a043ec1 100644 --- a/main/icu/APKBUILD +++ b/main/icu/APKBUILD @@ -6,7 +6,7 @@ pkgver=64.2 # convert x.y.z to x_y_z _ver=${pkgver//./_} -pkgrel=0 +pkgrel=1 pkgdesc="International Components for Unicode library" url="http://www.icu-project.org/" arch="all" @@ -17,9 +17,12 @@ depends_dev="$pkgname=$pkgver-r$pkgrel" checkdepends="diffutils python3" makedepends= source="http://download.icu-project.org/files/icu4c/${pkgver}/${pkgname}4c-$_ver-src.tgz + CVE-2020-10531.patch " # secfixes: +# 64.2-r1: +# - CVE-2020-10531 # 57.1-r1: # - CVE-2016-6293 # 58.1-r1: @@ -92,4 +95,5 @@ libs() { replaces="icu" } -sha512sums="5ecb4c230ba45918747a1cf9aef86f555aa07d5b29b1d07ab674e8013f46dfb907a0e9d6945db41155f9dc3012fd94e1152ffc19f61a68b6dfcbabdcb8ae9d78 icu4c-64_2-src.tgz" +sha512sums="5ecb4c230ba45918747a1cf9aef86f555aa07d5b29b1d07ab674e8013f46dfb907a0e9d6945db41155f9dc3012fd94e1152ffc19f61a68b6dfcbabdcb8ae9d78 icu4c-64_2-src.tgz +57b588da3e1488000bc4191e79bdbaa91f64fd126fdfb4bd9dbd105a52f8b93a03dda2c9d39ef0a598d7851750c17bcf270780da3cf253975b1dfa32dd6720df CVE-2020-10531.patch" diff --git a/main/icu/CVE-2020-10531.patch b/main/icu/CVE-2020-10531.patch new file mode 100644 index 00000000000..95f7154e023 --- /dev/null +++ b/main/icu/CVE-2020-10531.patch @@ -0,0 +1,106 @@ +diff --git a/common/unistr.cpp b/common/unistr.cpp +index 8f06515..61f471d 100644 +--- a/common/unistr.cpp ++++ b/common/unistr.cpp +@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng + } + + int32_t oldLength = length(); +- int32_t newLength = oldLength + srcLength; ++ int32_t newLength; ++ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) { ++ setToBogus(); ++ return *this; ++ } + + // Check for append onto ourself + const UChar* oldArray = getArrayStart(); +diff --git a/test/intltest/ustrtest.cpp b/test/intltest/ustrtest.cpp +index c31a465..f0d2f93 100644 +--- a/test/intltest/ustrtest.cpp ++++ b/test/intltest/ustrtest.cpp +@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* & + TESTCASE_AUTO(TestWCharPointers); + TESTCASE_AUTO(TestNullPointers); + TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf); ++ TESTCASE_AUTO(TestLargeAppend); + TESTCASE_AUTO_END; + } + +@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() { + str.insert(2, sub); + assertEquals("", u"abbcdcde", str); + } ++ ++void UnicodeStringTest::TestLargeAppend() { ++ if(quick) return; ++ ++ IcuTestErrorCode status(*this, "TestLargeAppend"); ++ // Make a large UnicodeString ++ int32_t len = 0xAFFFFFF; ++ UnicodeString str; ++ char16_t *buf = str.getBuffer(len); ++ // A fast way to set buffer to valid Unicode. ++ // 4E4E is a valid unicode character ++ uprv_memset(buf, 0x4e, len * 2); ++ str.releaseBuffer(len); ++ UnicodeString dest; ++ // Append it 16 times ++ // 0xAFFFFFF times 16 is 0xA4FFFFF1, ++ // which is greater than INT32_MAX, which is 0x7FFFFFFF. ++ int64_t total = 0; ++ for (int32_t i = 0; i < 16; i++) { ++ dest.append(str); ++ total += len; ++ if (total <= INT32_MAX) { ++ assertFalse("dest is not bogus", dest.isBogus()); ++ } else { ++ assertTrue("dest should be bogus", dest.isBogus()); ++ } ++ } ++ dest.remove(); ++ total = 0; ++ for (int32_t i = 0; i < 16; i++) { ++ dest.append(str); ++ total += len; ++ if (total + len <= INT32_MAX) { ++ assertFalse("dest is not bogus", dest.isBogus()); ++ } else if (total <= INT32_MAX) { ++ // Check that a string of exactly the maximum size works ++ UnicodeString str2; ++ int32_t remain = INT32_MAX - total; ++ char16_t *buf2 = str2.getBuffer(remain); ++ if (buf2 == nullptr) { ++ // if somehow memory allocation fail, return the test ++ return; ++ } ++ uprv_memset(buf2, 0x4e, remain * 2); ++ str2.releaseBuffer(remain); ++ dest.append(str2); ++ total += remain; ++ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total); ++ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length()); ++ assertFalse("dest is not bogus", dest.isBogus()); ++ ++ // Check that a string size+1 goes bogus ++ str2.truncate(1); ++ dest.append(str2); ++ total++; ++ assertTrue("dest should be bogus", dest.isBogus()); ++ } else { ++ assertTrue("dest should be bogus", dest.isBogus()); ++ } ++ } ++} +diff --git a/test/intltest/ustrtest.h b/test/intltest/ustrtest.h +index 218befd..4a356a9 100644 +--- a/test/intltest/ustrtest.h ++++ b/test/intltest/ustrtest.h +@@ -97,6 +97,7 @@ public: + void TestWCharPointers(); + void TestNullPointers(); + void TestUnicodeStringInsertAppendToSelf(); ++ void TestLargeAppend(); + }; + + #endif |