From 14898297f736d186b795cd214aabd5a5e5ad469e Mon Sep 17 00:00:00 2001 From: Eike Rathke Date: Fri, 18 Nov 2016 18:25:55 +0100 Subject: [PATCH] Resolves: rhbz#1377362 CVE-2016-7415 --- ...common_locid.cpp-from-39282-to-39384.patch | 156 ++++++++++++++++++ icu.spec | 7 +- 2 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 diff-icu_trunk_source_common_locid.cpp-from-39282-to-39384.patch diff --git a/diff-icu_trunk_source_common_locid.cpp-from-39282-to-39384.patch b/diff-icu_trunk_source_common_locid.cpp-from-39282-to-39384.patch new file mode 100644 index 0000000..896cdda --- /dev/null +++ b/diff-icu_trunk_source_common_locid.cpp-from-39282-to-39384.patch @@ -0,0 +1,156 @@ +Index: icu/trunk/source/common/locid.cpp +=================================================================== +--- icu/source/common/locid.cpp (revision 39282) ++++ icu/source/common/locid.cpp (revision 39384) +@@ -45,4 +45,5 @@ + #include "ucln_cmn.h" + #include "ustr_imp.h" ++#include "charstr.h" + + U_CDECL_BEGIN +@@ -59,4 +60,10 @@ + static UHashtable *gDefaultLocalesHashT = NULL; + static Locale *gDefaultLocale = NULL; ++ ++/** ++ * \def ULOC_STRING_LIMIT ++ * strings beyond this value crash in CharString ++ */ ++#define ULOC_STRING_LIMIT 357913941 + + U_NAMESPACE_END +@@ -286,5 +293,5 @@ + else + { +- MaybeStackArray togo; ++ UErrorCode status = U_ZERO_ERROR; + int32_t size = 0; + int32_t lsize = 0; +@@ -292,5 +299,4 @@ + int32_t vsize = 0; + int32_t ksize = 0; +- char *p; + + // Calculate the size of the resulting string. +@@ -300,6 +306,12 @@ + { + lsize = (int32_t)uprv_strlen(newLanguage); ++ if ( lsize < 0 || lsize > ULOC_STRING_LIMIT ) { // int32 wrap ++ setToBogus(); ++ return; ++ } + size = lsize; + } ++ ++ CharString togo(newLanguage, lsize, status); // start with newLanguage + + // _Country +@@ -307,4 +319,8 @@ + { + csize = (int32_t)uprv_strlen(newCountry); ++ if ( csize < 0 || csize > ULOC_STRING_LIMIT ) { // int32 wrap ++ setToBogus(); ++ return; ++ } + size += csize; + } +@@ -321,4 +337,8 @@ + // remove trailing _'s + vsize = (int32_t)uprv_strlen(newVariant); ++ if ( vsize < 0 || vsize > ULOC_STRING_LIMIT ) { // int32 wrap ++ setToBogus(); ++ return; ++ } + while( (vsize>1) && (newVariant[vsize-1] == SEP_CHAR) ) + { +@@ -345,48 +365,30 @@ + { + ksize = (int32_t)uprv_strlen(newKeywords); ++ if ( ksize < 0 || ksize > ULOC_STRING_LIMIT ) { ++ setToBogus(); ++ return; ++ } + size += ksize + 1; + } + +- + // NOW we have the full locale string.. +- +- /*if the whole string is longer than our internal limit, we need +- to go to the heap for temporary buffers*/ +- if (size >= togo.getCapacity()) +- { +- // If togo_heap could not be created, initialize with default settings. +- if (togo.resize(size+1) == NULL) { +- init(NULL, FALSE); +- } +- } +- +- togo[0] = 0; +- + // Now, copy it back. +- p = togo.getAlias(); +- if ( lsize != 0 ) +- { +- uprv_strcpy(p, newLanguage); +- p += lsize; +- } ++ ++ // newLanguage is already copied + + if ( ( vsize != 0 ) || (csize != 0) ) // at least: __v + { // ^ +- *p++ = SEP_CHAR; ++ togo.append(SEP_CHAR, status); + } + + if ( csize != 0 ) + { +- uprv_strcpy(p, newCountry); +- p += csize; ++ togo.append(newCountry, status); + } + + if ( vsize != 0) + { +- *p++ = SEP_CHAR; // at least: __v +- +- uprv_strncpy(p, newVariant, vsize); // Must use strncpy because +- p += vsize; // of trimming (above). +- *p = 0; // terminate ++ togo.append(SEP_CHAR, status) ++ .append(newVariant, vsize, status); + } + +@@ -394,19 +396,23 @@ + { + if (uprv_strchr(newKeywords, '=')) { +- *p++ = '@'; /* keyword parsing */ ++ togo.append('@', status); /* keyword parsing */ + } + else { +- *p++ = '_'; /* Variant parsing with a script */ ++ togo.append('_', status); /* Variant parsing with a script */ + if ( vsize == 0) { +- *p++ = '_'; /* No country found */ ++ togo.append('_', status); /* No country found */ + } + } +- uprv_strcpy(p, newKeywords); +- p += ksize; +- } +- ++ togo.append(newKeywords, status); ++ } ++ ++ if (U_FAILURE(status)) { ++ // Something went wrong with appending, etc. ++ setToBogus(); ++ return; ++ } + // Parse it, because for example 'language' might really be a complete + // string. +- init(togo.getAlias(), FALSE); ++ init(togo.data(), FALSE); + } + } diff --git a/icu.spec b/icu.spec index 5b77f67..077e5a3 100644 --- a/icu.spec +++ b/icu.spec @@ -2,7 +2,7 @@ Name: icu Version: 57.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: International Components for Unicode License: MIT and UCD and Public Domain @@ -20,6 +20,7 @@ Patch4: gennorm2-man.patch Patch5: icuinfo-man.patch Patch6: armv7hl-disable-tests.patch Patch7: rhbz1360340-icu-changeset-39109.patch +Patch8: diff-icu_trunk_source_common_locid.cpp-from-39282-to-39384.patch %description Tools and utilities for developing with icu. @@ -69,6 +70,7 @@ BuildArch: noarch %patch6 -p1 -b .armv7hl-disable-tests.patch %endif %patch7 -p1 -b .rhbz1360340-icu-changeset-39109.patch +%patch8 -p1 -b .diff-icu_trunk_source_common_locid.cpp-from-39282-to-39384.patch %build @@ -197,6 +199,9 @@ LD_LIBRARY_PATH=lib:stubdata:tools/ctestfw:$LD_LIBRARY_PATH bin/uconv -l %changelog +* Fri Nov 18 2016 Eike Rathke - 57.1-3 +- Resolves: rhbz#1377362 CVE-2016-7415 + * Tue Nov 01 2016 Eike Rathke - 57.1-2 - Resolves: rhbz#1360340 CVE-2016-6293