diff options
| -rw-r--r-- | main/icu/APKBUILD | 10 | ||||
| -rw-r--r-- | main/icu/CVE-2020-10531.patch | 132 |
2 files changed, 139 insertions, 3 deletions
diff --git a/main/icu/APKBUILD b/main/icu/APKBUILD index 60aba72565..acf2d04f99 100644 --- a/main/icu/APKBUILD +++ b/main/icu/APKBUILD @@ -6,7 +6,7 @@ pkgver=60.2 # convert x.y.z to x_y_z _ver=${pkgver//./_} -pkgrel=2 +pkgrel=3 pkgdesc="International Components for Unicode library" url="http://www.icu-project.org/" arch="all" @@ -16,9 +16,12 @@ depends= checkdepends="diffutils" makedepends= source="http://download.icu-project.org/files/icu4c/${pkgver}/${pkgname}4c-$_ver-src.tgz + CVE-2020-10531.patch " # secfixes: +# 60.2-r3: +# - CVE-2020-10531 # 57.1-r1: # - CVE-2016-6293 # 58.1-r1: @@ -58,7 +61,7 @@ build() { --disable-samples \ --enable-static \ --mandir=/usr/share/man - make + make VERBOSE=1 } check() { @@ -87,4 +90,5 @@ libs() { replaces="icu" } -sha512sums="8e718e66c13e7f25714404c46b91ed6305efff1df70c328be2ec743023a7719016dae72a5fa0a05d6f5599983590a2044ff72d3453a048d987ab546d0416d694 icu4c-60_2-src.tgz" +sha512sums="8e718e66c13e7f25714404c46b91ed6305efff1df70c328be2ec743023a7719016dae72a5fa0a05d6f5599983590a2044ff72d3453a048d987ab546d0416d694 icu4c-60_2-src.tgz +9d7a7fe59b89978b2f649539532891525672f9c1678d09218e34e06dbf7339dafc5b71a80ef3801deb5573a6e729e83061333b723f1c138e109c55458b36e21a CVE-2020-10531.patch" diff --git a/main/icu/CVE-2020-10531.patch b/main/icu/CVE-2020-10531.patch new file mode 100644 index 0000000000..3daeecd4ab --- /dev/null +++ b/main/icu/CVE-2020-10531.patch @@ -0,0 +1,132 @@ +Backported of: + +From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001 +From: Frank Tang <ftang@chromium.org> +Date: Sat, 1 Feb 2020 02:39:04 +0000 +Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append + +See #971 +diff --git a/source/common/unistr.cpp b/source/common/unistr.cpp +index 1bfb71a..e8a7f12 100644 +--- a/common/unistr.cpp ++++ b/common/unistr.cpp +@@ -75,6 +75,17 @@ print(const UChar *s, + // END DEBUGGING + #endif + ++// Adding this function as support of CVE-2020-10531 ++// since this version has not uprv_add32_overflow ++// implement it here. ++UBool uprv_add32_overflow(int32_t a, int32_t b, int32_t* res) { ++ auto a64 = static_cast<int64_t>(a); ++ auto b64 = static_cast<int64_t>(b); ++ int64_t res64 = a64 + b64; ++ *res = static_cast<int32_t>(res64); ++ return res64 != *res; ++} ++ + // Local function definitions for now + + // need to copy areas that may overlap +@@ -1546,7 +1557,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng + } + + int32_t oldLength = length(); +- int32_t newLength = oldLength + srcLength; ++ int32_t newLength; ++ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) { ++ setToBogus(); ++ return *this; ++ } + // optimize append() onto a large-enough, owned string + if((newLength <= getCapacity() && isBufferWritable()) || + cloneArrayIfNeeded(newLength, getGrowCapacity(newLength))) { +diff --git a/source/test/intltest/ustrtest.cpp b/source/test/intltest/ustrtest.cpp +index b361e20..9b613d3 100644 +--- a/test/intltest/ustrtest.cpp ++++ b/test/intltest/ustrtest.cpp +@@ -64,6 +64,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* & + TESTCASE_AUTO(TestUInt16Pointers); + TESTCASE_AUTO(TestWCharPointers); + TESTCASE_AUTO(TestNullPointers); ++ TESTCASE_AUTO(TestLargeAppend); + TESTCASE_AUTO_END; + } + +@@ -2253,3 +2254,64 @@ UnicodeStringTest::TestNullPointers() { + UnicodeString(u"def").extract(nullptr, 0, errorCode); + assertEquals("buffer overflow extracting to nullptr", U_BUFFER_OVERFLOW_ERROR, errorCode); + } ++ ++void UnicodeStringTest::TestLargeAppend() { ++ if(quick) return; ++ ++ IcuTestErrorCode status(*this, "TestLargeAppend"); ++ // Make a large UnicodeString ++ int32_t len = 0xAFFFFFF; ++ UnicodeString str; ++ char16_t *buf = str.getBuffer(len); ++ // A fast way to set buffer to valid Unicode. ++ // 4E4E is a valid unicode character ++ uprv_memset(buf, 0x4e, len * 2); ++ str.releaseBuffer(len); ++ UnicodeString dest; ++ // Append it 16 times ++ // 0xAFFFFFF times 16 is 0xA4FFFFF1, ++ // which is greater than INT32_MAX, which is 0x7FFFFFFF. ++ int64_t total = 0; ++ for (int32_t i = 0; i < 16; i++) { ++ dest.append(str); ++ total += len; ++ if (total <= INT32_MAX) { ++ assertFalse("dest is not bogus", dest.isBogus()); ++ } else { ++ assertTrue("dest should be bogus", dest.isBogus()); ++ } ++ } ++ dest.remove(); ++ total = 0; ++ for (int32_t i = 0; i < 16; i++) { ++ dest.append(str); ++ total += len; ++ if (total + len <= INT32_MAX) { ++ assertFalse("dest is not bogus", dest.isBogus()); ++ } else if (total <= INT32_MAX) { ++ // Check that a string of exactly the maximum size works ++ UnicodeString str2; ++ int32_t remain = INT32_MAX - total; ++ char16_t *buf2 = str2.getBuffer(remain); ++ if (buf2 == nullptr) { ++ // if somehow memory allocation fail, return the test ++ return; ++ } ++ uprv_memset(buf2, 0x4e, remain * 2); ++ str2.releaseBuffer(remain); ++ dest.append(str2); ++ total += remain; ++ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total); ++ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length()); ++ assertFalse("dest is not bogus", dest.isBogus()); ++ ++ // Check that a string size+1 goes bogus ++ str2.truncate(1); ++ dest.append(str2); ++ total++; ++ assertTrue("dest should be bogus", dest.isBogus()); ++ } else { ++ assertTrue("dest should be bogus", dest.isBogus()); ++ } ++ } ++} +diff --git a/source/test/intltest/ustrtest.h b/source/test/intltest/ustrtest.h +index 4ba348c..d2d5ee1 100644 +--- a/test/intltest/ustrtest.h ++++ b/test/intltest/ustrtest.h +@@ -96,6 +96,7 @@ public: + void TestUInt16Pointers(); + void TestWCharPointers(); + void TestNullPointers(); ++ void TestLargeAppend(); + }; + + #endif |