Merge remote-tracking branch 'origin/f22'

Conflicts: icu.spec
2015-04-10 20:12:05 +02:00 · 2015-04-10 20:12:05 +02:00 · 6e3307b561
commit 6e3307b561
parent f89d042ab8 9270c935d9
5 changed files with 1454 additions and 1 deletions
--- a/icu.changeset_36724.patch
+++ b/icu.changeset_36724.patch
@ -0,0 +1,39 @@
+Index: icu/source/i18n/regexcmp.cpp
+===================================================================
+--- icu/source/i18n/regexcmp.cpp	(revision 36723)
+++ icu/source/i18n/regexcmp.cpp	(revision 36724)
+@@ -2136,4 +2136,8 @@
+             int32_t minML    = minMatchLength(fMatchOpenParen, patEnd);
+             int32_t maxML    = maxMatchLength(fMatchOpenParen, patEnd);
+            if (URX_TYPE(maxML) != 0) {
+                error(U_REGEX_LOOK_BEHIND_LIMIT);
+                break;
+            }
+             if (maxML == INT32_MAX) {
+                 error(U_REGEX_LOOK_BEHIND_LIMIT);
+@@ -2169,4 +2173,8 @@
+             int32_t minML    = minMatchLength(fMatchOpenParen, patEnd);
+             int32_t maxML    = maxMatchLength(fMatchOpenParen, patEnd);
+            if (URX_TYPE(maxML) != 0) {
+                error(U_REGEX_LOOK_BEHIND_LIMIT);
+                break;
+            }
+             if (maxML == INT32_MAX) {
+                 error(U_REGEX_LOOK_BEHIND_LIMIT);
+Index: icu/source/test/testdata/regextst.txt
+===================================================================
+--- icu/source/test/testdata/regextst.txt	(revision 36723)
+++ icu/source/test/testdata/regextst.txt	(revision 36724)
+@@ -1201,4 +1201,12 @@
+ "A|B|\U00012345"                "hello <0>\U00012345</0>"
+ "A|B|\U00010000"                "hello \ud800"
+
+# Bug 11370
+#   Max match length computation of look-behind expression gives result that is too big to fit in the
+#   in the 24 bit operand portion of the compiled code. Expressions should fail to compile
+#   (Look-behind match length must be bounded. This case is treated as unbounded, an error.)
+
+"(?<!(0123456789a){10000000})x"         E  "no match"
+"(?<!\\ubeaf(\\ubeaf{11000}){11000})"   E  "no match"
+ 
+ #  Random debugging, Temporary
--- a/icu.changeset_36727.patch
+++ b/icu.changeset_36727.patch
@ -0,0 +1,55 @@
+Index: icu/source/i18n/regexcmp.cpp
+===================================================================
+--- icu/source/i18n/regexcmp.cpp	(revision 36726)
+++ icu/source/i18n/regexcmp.cpp	(revision 36727)
+@@ -2340,5 +2340,13 @@
+     if (fIntervalUpper == 0) {
+         // Pathological case.  Attempt no matches, as if the block doesn't exist.
+        // Discard the generated code for the block.
+        // If the block included parens, discard the info pertaining to them as well.
+         fRXPat->fCompiledPat->setSize(topOfBlock);
+        if (fMatchOpenParen >= topOfBlock) {
+            fMatchOpenParen = -1;
+        }
+        if (fMatchCloseParen >= topOfBlock) {
+            fMatchCloseParen = -1;
+        }
+         return TRUE;
+     }
+Index: icu/source/i18n/regexcmp.h
+===================================================================
+--- icu/source/i18n/regexcmp.h	(revision 36726)
+++ icu/source/i18n/regexcmp.h	(revision 36727)
+@@ -188,5 +188,7 @@
+                                                      //   of the slot reserved for a state save
+                                                      //   at the start of the most recently processed
+-                                                     //   parenthesized block.
+                                                     //   parenthesized block. Updated when processing
+                                                     //   a close to the location for the corresponding open.
+
+     int32_t                       fMatchCloseParen;  // The position in the pattern of the first
+                                                      //   location after the most recently processed
+Index: icu/source/test/testdata/regextst.txt
+===================================================================
+--- icu/source/test/testdata/regextst.txt	(revision 36726)
+++ icu/source/test/testdata/regextst.txt	(revision 36727)
+@@ -1202,4 +1202,13 @@
+ "A|B|\U00010000"                "hello \ud800"
+ 
+# Bug 11369
+#   Incorrect optimization of patterns with a zero length quantifier {0}
+
+"(.|b)(|b){0}\$(?#xxx){3}(?>\D*)"   "AAAAABBBBBCCCCCDDDDEEEEE"
+"(|b)ab(c)"                     "<0><1></1>ab<2>c</2></0>"
+"(|b){0}a{3}(D*)"               "<0>aaa<2></2></0>"
+"(|b){0,1}a{3}(D*)"             "<0><1></1>aaa<2></2></0>"
+"((|b){0})a{3}(D*)"             "<0><1></1>aaa<3></3></0>"
+
+ # Bug 11370
+ #   Max match length computation of look-behind expression gives result that is too big to fit in the
+@@ -1209,4 +1218,5 @@
+ "(?<!(0123456789a){10000000})x"         E  "no match"
+ "(?<!\\ubeaf(\\ubeaf{11000}){11000})"   E  "no match"
+
+ 
+ #  Random debugging, Temporary
--- a/icu.changeset_36801.patch
+++ b/icu.changeset_36801.patch
--- a/icu.changeset_37086.patch
+++ b/icu.changeset_37086.patch
@ -0,0 +1,125 @@
+# https://ssl.icu-project.org/trac/changeset/37086
+
+Index: icu/source/layout/ContextualSubstSubtables.cpp
+===================================================================
+--- icu/source/layout/ContextualSubstSubtables.cpp	(revision 37085)
+++ icu/source/layout/ContextualSubstSubtables.cpp	(revision 37086)
+@@ -1,4 +1,4 @@
+ /*
+- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved
+ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved
+  *
+  */
+@@ -467,4 +467,10 @@
+                     (const ChainSubClassRuleTable *) ((char *) chainSubClassSetTable + chainSubClassRuleTableOffset);
+                 le_uint16 backtrackGlyphCount = SWAPW(chainSubClassRuleTable->backtrackGlyphCount);
+
+                // TODO: Ticket #11557 - enable this check, originally from ticket #11525.
+                //       Depends on other, more extensive, changes.
+                // LEReferenceToArrayOf<le_uint16>   backtrackClassArray(base, success, chainSubClassRuleTable->backtrackClassArray, backtrackGlyphCount);
+                if( LE_FAILURE(success) ) { return 0; }
+
+                 le_uint16 inputGlyphCount = SWAPW(chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount]) - 1;
+                 const le_uint16 *inputClassArray = &chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount + 1];
+Index: icu/source/layout/CursiveAttachmentSubtables.cpp
+===================================================================
+--- icu/source/layout/CursiveAttachmentSubtables.cpp	(revision 37085)
+++ icu/source/layout/CursiveAttachmentSubtables.cpp	(revision 37086)
+@@ -1,4 +1,4 @@
+ /*
+- * (C) Copyright IBM Corp. 1998 - 2013 - All Rights Reserved
+ * (C) Copyright IBM Corp. 1998 - 2015 - All Rights Reserved
+  *
+  */
+@@ -21,5 +21,8 @@
+     le_uint16 eeCount       = SWAPW(entryExitCount);
+ 
+-    if (coverageIndex < 0 || coverageIndex >= eeCount) {
+    LEReferenceToArrayOf<EntryExitRecord>
+        entryExitRecordsArrayRef(base, success, entryExitRecords, coverageIndex);
+
+    if (coverageIndex < 0 || coverageIndex >= eeCount || LE_FAILURE(success)) {
+         glyphIterator->setCursiveGlyph();
+         return 0;
+Index: icu/source/layout/Features.cpp
+===================================================================
+--- icu/source/layout/Features.cpp	(revision 37085)
+++ icu/source/layout/Features.cpp	(revision 37086)
+@@ -2,5 +2,5 @@
+  * @(#)Features.cpp 1.4 00/03/15
+  *
+- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved
+ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved
+  *
+  */
+@@ -16,4 +16,7 @@
+ LEReferenceTo<FeatureTable> FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const
+ {
+    LEReferenceToArrayOf<FeatureRecord>
+        featureRecordArrayRef(base, success, featureRecordArray, featureIndex);
+
+   if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) {
+     return LEReferenceTo<FeatureTable>();
+Index: icu/source/layout/LETableReference.h
+===================================================================
+--- icu/source/layout/LETableReference.h	(revision 37085)
+++ icu/source/layout/LETableReference.h	(revision 37086)
+@@ -2,5 +2,5 @@
+  * -*- c++ -*-
+  *
+- * (C) Copyright IBM Corp. and others 2013 - All Rights Reserved
+ * (C) Copyright IBM Corp. and others 2015 - All Rights Reserved
+  *
+  * Range checking
+@@ -314,5 +314,10 @@
+ 
+   const T& getObject(le_uint32 i, LEErrorCode &success) const {
+-    return *getAlias(i,success);
+      const T *ret = getAlias(i, success);
+      if (LE_FAILURE(success) || ret==NULL) {
+          return *(new T(0));
+      } else {
+          return *ret;
+     }
+   }
+   
+Index: icu/source/layout/LigatureSubstSubtables.cpp
+===================================================================
+--- icu/source/layout/LigatureSubstSubtables.cpp	(revision 37085)
+++ icu/source/layout/LigatureSubstSubtables.cpp	(revision 37086)
+@@ -1,4 +1,4 @@
+ /*
+- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved
+ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved
+  *
+  */
+@@ -28,4 +28,7 @@
+             const LigatureTable *ligTable = (const LigatureTable *) ((char *)ligSetTable + ligTableOffset);
+             le_uint16 compCount = SWAPW(ligTable->compCount) - 1;
+            LEReferenceToArrayOf<TTGlyphID>
+                componentArrayRef(base, success, ligTable->componentArray, compCount);
+            if (LE_FAILURE(success)) { return 0; }
+             le_int32 startPosition = glyphIterator->getCurrStreamPosition();
+             TTGlyphID ligGlyph = SWAPW(ligTable->ligGlyph);
+Index: icu/source/layout/MultipleSubstSubtables.cpp
+===================================================================
+--- icu/source/layout/MultipleSubstSubtables.cpp	(revision 37085)
+++ icu/source/layout/MultipleSubstSubtables.cpp	(revision 37086)
+@@ -1,5 +1,5 @@
+ /*
+  *
+- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved
+ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved
+  *
+  */
+@@ -36,5 +36,10 @@
+     le_int32 coverageIndex = getGlyphCoverage(base, glyph, success);
+     le_uint16 seqCount = SWAPW(sequenceCount);
+    LEReferenceToArrayOf<Offset>
+        sequenceTableOffsetArrayRef(base, success, sequenceTableOffsetArray, seqCount);
+ 
+    if (LE_FAILURE(success)) {
+        return 0;
+    }
+     if (coverageIndex >= 0 && coverageIndex < seqCount) {
+         Offset sequenceTableOffset = SWAPW(sequenceTableOffsetArray[coverageIndex]);
--- a/icu.spec
+++ b/icu.spec
@ -1,6 +1,6 @@
 Name:      icu
 Version:   54.1
-Release:   2%{?dist}
+Release:   3%{?dist}
 Summary:   International Components for Unicode
 Group:     Development/Tools
 License:   MIT and UCD and Public Domain
@ -15,6 +15,10 @@ Patch2: icu.8800.freeserif.crash.patch
 Patch3: icu.7601.Indic-ccmp.patch
 Patch4: gennorm2-man.patch
 Patch5: icuinfo-man.patch
+Patch6: icu.changeset_36724.patch
+Patch7: icu.changeset_36727.patch
+Patch8: icu.changeset_36801.patch
+Patch9: icu.changeset_37086.patch

 %description
 Tools and utilities for developing with icu.
@ -62,6 +66,10 @@ BuildArch: noarch
 %patch3 -p1 -b .icu7601.Indic-ccmp.patch
 %patch4 -p1 -b .gennorm2-man.patch
 %patch5 -p1 -b .icuinfo-man.patch
+%patch6 -p1 -b .icu.changeset_36724.patch
+%patch7 -p1 -b .icu.changeset_36727.patch
+%patch8 -p1 -b .icu.changeset_36801.patch
+%patch9 -p1 -b .icu.changeset_37086.patch

 %build
 cd source
@ -170,6 +178,10 @@ make %{?_smp_mflags} -C source check
 %doc source/__docs/%{name}/html/*

 %changelog
+* Fri Apr 10 2015 Eike Rathke <erack@redhat.com> - 54.1-3
+- Resolves: rhbz#1190131 CVE-2014-7923 CVE-2014-7926 CVE-2014-9654
+- Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591
+
 * Sat Feb 21 2015 Till Maas <opensource@till.name> - 54.1-2
 - Rebuilt for Fedora 23 Change
  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code