From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
From: Frank Tang <ftang@chromium.org>
Date: Sat, 1 Feb 2020 02:39:04 +0000
Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append

See #971
---
 source/common/unistr.cpp          |  6 ++-

diff --git a/source/common/unistr.cpp b/source/common/unistr.cpp
index 901bb3358ba..077b4d6ef20 100644
--- a/source/common/unistr.cpp
+++ b/source/common/unistr.cpp
@@ -73,6 +73,17 @@ print(const UChar *s,
 // END DEBUGGING
 #endif

+// Adding this function as support of CVE-2020-10531
+// since this version has not uprv_add32_overflow
+// implement it here.
+UBool uprv_add32_overflow(int32_t a, int32_t b, int32_t* res) {
+  int64_t a64 = static_cast<int64_t>(a);
+  int64_t b64 = static_cast<int64_t>(b);
+  int64_t res64 = a64 + b64;
+  *res = static_cast<int32_t>(res64);
+  return res64 != *res;
+}
+
 // Local function definitions for now

 // need to copy areas that may overlap
@@ -1510,7 +1510,11 @@ UnicodeString::doAppend(const UChar *src
   }
 
   int32_t oldLength = length();
-  int32_t newLength = oldLength + srcLength;
+  int32_t newLength;
+  if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
+    setToBogus();
+    return *this;
+  }
   // optimize append() onto a large-enough, owned string
   if((newLength <= getCapacity() && isBufferWritable()) ||
       cloneArrayIfNeeded(newLength, newLength + (newLength >> 2) + kGrowSize)) {