mirror of
https://abf.rosa.ru/djam/icu.git
synced 2025-02-23 10:52:49 +00:00
e72145c5f9
1.CVE-2016-6293 2.CVE-2016-7415 3.CVE-2017-7867 4.CVE-2017-7868 5.CVE-2017-14952 6.CVE-2017-15422 7.CVE-2020-10531
44 lines
1.4 KiB
Diff
44 lines
1.4 KiB
Diff
From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
|
|
From: Frank Tang <ftang@chromium.org>
|
|
Date: Sat, 1 Feb 2020 02:39:04 +0000
|
|
Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
|
|
|
|
See #971
|
|
---
|
|
source/common/unistr.cpp | 6 ++-
|
|
|
|
diff --git a/source/common/unistr.cpp b/source/common/unistr.cpp
|
|
index 901bb3358ba..077b4d6ef20 100644
|
|
--- a/source/common/unistr.cpp
|
|
+++ b/source/common/unistr.cpp
|
|
@@ -73,6 +73,17 @@ print(const UChar *s,
|
|
// END DEBUGGING
|
|
#endif
|
|
|
|
+// Adding this function as support of CVE-2020-10531
|
|
+// since this version has not uprv_add32_overflow
|
|
+// implement it here.
|
|
+UBool uprv_add32_overflow(int32_t a, int32_t b, int32_t* res) {
|
|
+ int64_t a64 = static_cast<int64_t>(a);
|
|
+ int64_t b64 = static_cast<int64_t>(b);
|
|
+ int64_t res64 = a64 + b64;
|
|
+ *res = static_cast<int32_t>(res64);
|
|
+ return res64 != *res;
|
|
+}
|
|
+
|
|
// Local function definitions for now
|
|
|
|
// need to copy areas that may overlap
|
|
@@ -1510,7 +1510,11 @@ UnicodeString::doAppend(const UChar *src
|
|
}
|
|
|
|
int32_t oldLength = length();
|
|
- int32_t newLength = oldLength + srcLength;
|
|
+ int32_t newLength;
|
|
+ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
|
|
+ setToBogus();
|
|
+ return *this;
|
|
+ }
|
|
// optimize append() onto a large-enough, owned string
|
|
if((newLength <= getCapacity() && isBufferWritable()) ||
|
|
cloneArrayIfNeeded(newLength, newLength + (newLength >> 2) + kGrowSize)) {
|