78 lines
3.1 KiB
Diff
78 lines
3.1 KiB
Diff
# CVE-2017-17484
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1524820
|
|
# https://ssl.icu-project.org/trac/ticket/13510
|
|
# https://ssl.icu-project.org/trac/changeset/40715
|
|
Index: /trunk/icu4c/source/common/ucnv_u8.cpp
|
|
===================================================================
|
|
--- /trunk/icu4c/source/common/ucnv_u8.cpp (revision 40714)
|
|
+++ /trunk/icu4c/source/common/ucnv_u8.cpp (revision 40715)
|
|
@@ -815,5 +815,5 @@
|
|
|
|
/* copy the legal byte sequence to the target */
|
|
- {
|
|
+ if(count>=toULength) {
|
|
int8_t i;
|
|
|
|
@@ -826,4 +826,12 @@
|
|
}
|
|
count-=toULength;
|
|
+ } else {
|
|
+ // A supplementary character that does not fit into the target.
|
|
+ // Let the standard converter handle this.
|
|
+ source-=(toULength-oldToULength);
|
|
+ pToUArgs->source=(char *)source;
|
|
+ pFromUArgs->target=(char *)target;
|
|
+ *pErrorCode=U_USING_DEFAULT_WARNING;
|
|
+ return;
|
|
}
|
|
}
|
|
Index: /trunk/icu4c/source/test/intltest/convtest.cpp
|
|
===================================================================
|
|
--- /trunk/icu4c/source/test/intltest/convtest.cpp (revision 40714)
|
|
+++ /trunk/icu4c/source/test/intltest/convtest.cpp (revision 40715)
|
|
@@ -724,5 +724,5 @@
|
|
LocalUConverterPointer cnv1(ucnv_open("UTF-8", errorCode));
|
|
LocalUConverterPointer cnv2(ucnv_open("UTF-8", errorCode));
|
|
- static const char *text = "aä";
|
|
+ static const char *text = "aä"; // ä: 2 bytes
|
|
const char *source = text;
|
|
const char *sourceLimit = text + strlen(text);
|
|
@@ -757,4 +757,37 @@
|
|
if (length == 3) {
|
|
assertTrue("result same as input", memcmp(text, result, length) == 0);
|
|
+ }
|
|
+
|
|
+ ucnv_reset(cnv1.getAlias());
|
|
+ ucnv_reset(cnv2.getAlias());
|
|
+ memset(result, 0, sizeof(result));
|
|
+ static const char *text2 = "a🚲"; // U+1F6B2 bicycle: 4 bytes
|
|
+ source = text2;
|
|
+ sourceLimit = text2 + strlen(text2);
|
|
+ target = result;
|
|
+ pivotSource = pivotTarget = buffer16;
|
|
+
|
|
+ // Convert with insufficient target capacity.
|
|
+ result[3] = 5;
|
|
+ ucnv_convertEx(cnv2.getAlias(), cnv1.getAlias(),
|
|
+ &target, result + 3, &source, sourceLimit,
|
|
+ buffer16, &pivotSource, &pivotTarget, pivotLimit,
|
|
+ FALSE, FALSE, errorCode);
|
|
+ assertEquals("text2 overflow", U_BUFFER_OVERFLOW_ERROR, errorCode.reset());
|
|
+ length = (int32_t)(target - result);
|
|
+ assertEquals("text2 number of bytes written", 3, length);
|
|
+ assertEquals("text2 next byte not clobbered", 5, result[3]);
|
|
+
|
|
+ // Convert the rest and flush.
|
|
+ ucnv_convertEx(cnv2.getAlias(), cnv1.getAlias(),
|
|
+ &target, targetLimit, &source, sourceLimit,
|
|
+ buffer16, &pivotSource, &pivotTarget, pivotLimit,
|
|
+ FALSE, TRUE, errorCode);
|
|
+
|
|
+ assertSuccess("text2 UTF-8->UTF-8", errorCode);
|
|
+ length = (int32_t)(target - result);
|
|
+ assertEquals("text2 5 bytes", 5, length);
|
|
+ if (length == 5) {
|
|
+ assertTrue("text2 result same as input", memcmp(text2, result, length) == 0);
|
|
}
|
|
}
|