icu/CVE-2020-10531.patch

From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
From: Frank Tang <ftang@chromium.org>
Date: Sat, 1 Feb 2020 02:39:04 +0000
Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append

See #971
---
 source/common/unistr.cpp          |  6 ++-

diff --git a/source/common/unistr.cpp b/source/common/unistr.cpp
index 901bb3358ba..077b4d6ef20 100644
--- a/source/common/unistr.cpp
+++ b/source/common/unistr.cpp
@@ -73,6 +73,17 @@ print(const UChar *s,
 // END DEBUGGING
 #endif

+// Adding this function as support of CVE-2020-10531
+// since this version has not uprv_add32_overflow
+// implement it here.
+UBool uprv_add32_overflow(int32_t a, int32_t b, int32_t* res) {
+  int64_t a64 = static_cast<int64_t>(a);
+  int64_t b64 = static_cast<int64_t>(b);
+  int64_t res64 = a64 + b64;
+  *res = static_cast<int32_t>(res64);
+  return res64 != *res;
+}
+
 // Local function definitions for now

 // need to copy areas that may overlap
@@ -1510,7 +1510,11 @@ UnicodeString::doAppend(const UChar *src
   }
 
   int32_t oldLength = length();
-  int32_t newLength = oldLength + srcLength;
+  int32_t newLength;
+  if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
+    setToBogus();
+    return *this;
+  }
   // optimize append() onto a large-enough, owned string
   if((newLength <= getCapacity() && isBufferWritable()) ||
       cloneArrayIfNeeded(newLength, newLength + (newLength >> 2) + kGrowSize)) {
Add patches to fix CVE: 1.CVE-2016-6293 2.CVE-2016-7415 3.CVE-2017-7867 4.CVE-2017-7868 5.CVE-2017-14952 6.CVE-2017-15422 7.CVE-2020-10531 2020-09-15 10:55:54 +03:00			`From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001`
			`From: Frank Tang <ftang@chromium.org>`
			`Date: Sat, 1 Feb 2020 02:39:04 +0000`
			`Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append`

			`See #971`
			`---`
			`source/common/unistr.cpp \| 6 ++-`

			`diff --git a/source/common/unistr.cpp b/source/common/unistr.cpp`
			`index 901bb3358ba..077b4d6ef20 100644`
			`--- a/source/common/unistr.cpp`
			`+++ b/source/common/unistr.cpp`
			`@@ -73,6 +73,17 @@ print(const UChar *s,`
			`// END DEBUGGING`
			`#endif`

			`+// Adding this function as support of CVE-2020-10531`
			`+// since this version has not uprv_add32_overflow`
			`+// implement it here.`
			`+UBool uprv_add32_overflow(int32_t a, int32_t b, int32_t* res) {`
			`+ int64_t a64 = static_cast<int64_t>(a);`
			`+ int64_t b64 = static_cast<int64_t>(b);`
			`+ int64_t res64 = a64 + b64;`
			`+ *res = static_cast<int32_t>(res64);`
			`+ return res64 != *res;`
			`+}`
			`+`
			`// Local function definitions for now`

			`// need to copy areas that may overlap`
			`@@ -1510,7 +1510,11 @@ UnicodeString::doAppend(const UChar *src`
			`}`

			`int32_t oldLength = length();`
			`- int32_t newLength = oldLength + srcLength;`
			`+ int32_t newLength;`
			`+ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {`
			`+ setToBogus();`
			`+ return *this;`
			`+ }`
			`// optimize append() onto a large-enough, owned string`
			`if((newLength <= getCapacity() && isBufferWritable()) \|\|`
			`cloneArrayIfNeeded(newLength, newLength + (newLength >> 2) + kGrowSize)) {`