diff options
author | Leo <thinkabit.ukim@gmail.com> | 2020-03-24 09:32:19 -0300 |
---|---|---|
committer | Leo <thinkabit.ukim@gmail.com> | 2020-03-24 18:22:18 -0300 |
commit | c352863a011aa92c700a861de9b92c6f7a923964 (patch) | |
tree | 24e54ccedea639070f972d6655b92dd2c27cd87a | |
parent | f6fc58556f31047a3a3e540d2d37372b251eafaf (diff) | |
download | alpine_aports-c352863a011aa92c700a861de9b92c6f7a923964.tar.bz2 alpine_aports-c352863a011aa92c700a861de9b92c6f7a923964.tar.xz alpine_aports-c352863a011aa92c700a861de9b92c6f7a923964.zip |
main/icu: fix CVE-2020-10531
see #11329
-rw-r--r-- | main/icu/APKBUILD | 8 | ||||
-rw-r--r-- | main/icu/CVE-2020-10531.patch | 106 |
2 files changed, 112 insertions, 2 deletions
diff --git a/main/icu/APKBUILD b/main/icu/APKBUILD index 1af5dbc75e..bbb903c758 100644 --- a/main/icu/APKBUILD +++ b/main/icu/APKBUILD | |||
@@ -6,7 +6,7 @@ pkgver=62.1 | |||
6 | # convert x.y.z to x_y_z | 6 | # convert x.y.z to x_y_z |
7 | _ver=${pkgver//./_} | 7 | _ver=${pkgver//./_} |
8 | 8 | ||
9 | pkgrel=0 | 9 | pkgrel=1 |
10 | pkgdesc="International Components for Unicode library" | 10 | pkgdesc="International Components for Unicode library" |
11 | url="http://www.icu-project.org/" | 11 | url="http://www.icu-project.org/" |
12 | arch="all" | 12 | arch="all" |
@@ -17,9 +17,12 @@ depends_dev="$pkgname=$pkgver-r$pkgrel" | |||
17 | checkdepends="diffutils" | 17 | checkdepends="diffutils" |
18 | makedepends= | 18 | makedepends= |
19 | source="http://download.icu-project.org/files/icu4c/${pkgver}/${pkgname}4c-$_ver-src.tgz | 19 | source="http://download.icu-project.org/files/icu4c/${pkgver}/${pkgname}4c-$_ver-src.tgz |
20 | CVE-2020-10531.patch | ||
20 | " | 21 | " |
21 | 22 | ||
22 | # secfixes: | 23 | # secfixes: |
24 | # 62.1-r1: | ||
25 | # - CVE-2020-10531 | ||
23 | # 57.1-r1: | 26 | # 57.1-r1: |
24 | # - CVE-2016-6293 | 27 | # - CVE-2016-6293 |
25 | # 58.1-r1: | 28 | # 58.1-r1: |
@@ -90,4 +93,5 @@ libs() { | |||
90 | replaces="icu" | 93 | replaces="icu" |
91 | } | 94 | } |
92 | 95 | ||
93 | sha512sums="8295f2754fb6907e2cc8f515dccca05530963b544e89a2b8e323cd0ddfdbbe0c9eba8b367c1dbc04d7bb906b66b1003fd545ca05298939747c832c9d4431cf2a icu4c-62_1-src.tgz" | 96 | sha512sums="8295f2754fb6907e2cc8f515dccca05530963b544e89a2b8e323cd0ddfdbbe0c9eba8b367c1dbc04d7bb906b66b1003fd545ca05298939747c832c9d4431cf2a icu4c-62_1-src.tgz |
97 | cf3718d9f6a43de4e9a49d20080a04146f6b62c094d2fbd3efd898d7670c9a5ed28736a2c1e71c773a3f807dfeb8c262feeea7b9ea66bb147f58056608d7c3d6 CVE-2020-10531.patch" | ||
diff --git a/main/icu/CVE-2020-10531.patch b/main/icu/CVE-2020-10531.patch new file mode 100644 index 0000000000..f2eb712b1a --- /dev/null +++ b/main/icu/CVE-2020-10531.patch | |||
@@ -0,0 +1,106 @@ | |||
1 | diff --git a/common/unistr.cpp b/common/unistr.cpp | ||
2 | index 5d7cab2..78cf394 100644 | ||
3 | --- a/common/unistr.cpp | ||
4 | +++ b/common/unistr.cpp | ||
5 | @@ -1544,7 +1544,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng | ||
6 | } | ||
7 | |||
8 | int32_t oldLength = length(); | ||
9 | - int32_t newLength = oldLength + srcLength; | ||
10 | + int32_t newLength; | ||
11 | + if (uprv_add32_overflow(oldLength, srcLength, &newLength)) { | ||
12 | + setToBogus(); | ||
13 | + return *this; | ||
14 | + } | ||
15 | // optimize append() onto a large-enough, owned string | ||
16 | if((newLength <= getCapacity() && isBufferWritable()) || | ||
17 | cloneArrayIfNeeded(newLength, getGrowCapacity(newLength))) { | ||
18 | diff --git a/test/intltest/ustrtest.cpp b/test/intltest/ustrtest.cpp | ||
19 | index 4b7cb7a..c5e5a80 100644 | ||
20 | --- a/test/intltest/ustrtest.cpp | ||
21 | +++ b/test/intltest/ustrtest.cpp | ||
22 | @@ -64,6 +64,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* & | ||
23 | TESTCASE_AUTO(TestUInt16Pointers); | ||
24 | TESTCASE_AUTO(TestWCharPointers); | ||
25 | TESTCASE_AUTO(TestNullPointers); | ||
26 | + TESTCASE_AUTO(TestLargeAppend); | ||
27 | TESTCASE_AUTO_END; | ||
28 | } | ||
29 | |||
30 | @@ -2248,3 +2249,64 @@ UnicodeStringTest::TestNullPointers() { | ||
31 | UnicodeString(u"def").extract(nullptr, 0, errorCode); | ||
32 | assertEquals("buffer overflow extracting to nullptr", U_BUFFER_OVERFLOW_ERROR, errorCode); | ||
33 | } | ||
34 | + | ||
35 | +void UnicodeStringTest::TestLargeAppend() { | ||
36 | + if(quick) return; | ||
37 | + | ||
38 | + IcuTestErrorCode status(*this, "TestLargeAppend"); | ||
39 | + // Make a large UnicodeString | ||
40 | + int32_t len = 0xAFFFFFF; | ||
41 | + UnicodeString str; | ||
42 | + char16_t *buf = str.getBuffer(len); | ||
43 | + // A fast way to set buffer to valid Unicode. | ||
44 | + // 4E4E is a valid unicode character | ||
45 | + uprv_memset(buf, 0x4e, len * 2); | ||
46 | + str.releaseBuffer(len); | ||
47 | + UnicodeString dest; | ||
48 | + // Append it 16 times | ||
49 | + // 0xAFFFFFF times 16 is 0xA4FFFFF1, | ||
50 | + // which is greater than INT32_MAX, which is 0x7FFFFFFF. | ||
51 | + int64_t total = 0; | ||
52 | + for (int32_t i = 0; i < 16; i++) { | ||
53 | + dest.append(str); | ||
54 | + total += len; | ||
55 | + if (total <= INT32_MAX) { | ||
56 | + assertFalse("dest is not bogus", dest.isBogus()); | ||
57 | + } else { | ||
58 | + assertTrue("dest should be bogus", dest.isBogus()); | ||
59 | + } | ||
60 | + } | ||
61 | + dest.remove(); | ||
62 | + total = 0; | ||
63 | + for (int32_t i = 0; i < 16; i++) { | ||
64 | + dest.append(str); | ||
65 | + total += len; | ||
66 | + if (total + len <= INT32_MAX) { | ||
67 | + assertFalse("dest is not bogus", dest.isBogus()); | ||
68 | + } else if (total <= INT32_MAX) { | ||
69 | + // Check that a string of exactly the maximum size works | ||
70 | + UnicodeString str2; | ||
71 | + int32_t remain = INT32_MAX - total; | ||
72 | + char16_t *buf2 = str2.getBuffer(remain); | ||
73 | + if (buf2 == nullptr) { | ||
74 | + // if somehow memory allocation fail, return the test | ||
75 | + return; | ||
76 | + } | ||
77 | + uprv_memset(buf2, 0x4e, remain * 2); | ||
78 | + str2.releaseBuffer(remain); | ||
79 | + dest.append(str2); | ||
80 | + total += remain; | ||
81 | + assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total); | ||
82 | + assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length()); | ||
83 | + assertFalse("dest is not bogus", dest.isBogus()); | ||
84 | + | ||
85 | + // Check that a string size+1 goes bogus | ||
86 | + str2.truncate(1); | ||
87 | + dest.append(str2); | ||
88 | + total++; | ||
89 | + assertTrue("dest should be bogus", dest.isBogus()); | ||
90 | + } else { | ||
91 | + assertTrue("dest should be bogus", dest.isBogus()); | ||
92 | + } | ||
93 | + } | ||
94 | +} | ||
95 | diff --git a/test/intltest/ustrtest.h b/test/intltest/ustrtest.h | ||
96 | index 4ba348c..d2d5ee1 100644 | ||
97 | --- a/test/intltest/ustrtest.h | ||
98 | +++ b/test/intltest/ustrtest.h | ||
99 | @@ -96,6 +96,7 @@ public: | ||
100 | void TestUInt16Pointers(); | ||
101 | void TestWCharPointers(); | ||
102 | void TestNullPointers(); | ||
103 | + void TestLargeAppend(); | ||
104 | }; | ||
105 | |||
106 | #endif | ||