summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2019-03-05 16:30:00 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-03-06 10:39:25 +0000
commit9fa4bf280df8c42056eba001490c54a6580328cd (patch)
treea76f53489fd5851e9862016734cf181bcd52e282
parent1cbf28ba2c17f32a63da5f0545994e477c1e8c5a (diff)
downloadpoky-9fa4bf280df8c42056eba001490c54a6580328cd.tar.gz
icu: fix CVE-2018-18928
(From OE-Core rev: 0b3f5e3cb90612c24f30ae8a50ed926492ce2e35) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-support/icu/icu/CVE-2018-18928.patch63
-rw-r--r--meta/recipes-support/icu/icu_63.1.bb1
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-support/icu/icu/CVE-2018-18928.patch b/meta/recipes-support/icu/icu/CVE-2018-18928.patch
new file mode 100644
index 0000000000..19c50e4e76
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2018-18928.patch
@@ -0,0 +1,63 @@
1CVE: CVE-2018-18928
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 53d8c8f3d181d87a6aa925b449b51c4a2c922a51 Mon Sep 17 00:00:00 2001
6From: Shane Carr <shane@unicode.org>
7Date: Mon, 29 Oct 2018 23:52:44 -0700
8Subject: [PATCH] ICU-20246 Fixing another integer overflow in number parsing.
9
10---
11 i18n/fmtable.cpp | 2 +-
12 i18n/number_decimalquantity.cpp | 5 ++++-
13 test/intltest/numfmtst.cpp | 8 ++++++++
14 6 files changed, 31 insertions(+), 4 deletions(-)
15
16diff --git a/i18n/fmtable.cpp b/i18n/fmtable.cpp
17index 45c7024fc29..8601d95f4a6 100644
18--- a/i18n/fmtable.cpp
19+++ b/i18n/fmtable.cpp
20@@ -734,7 +734,7 @@ CharString *Formattable::internalGetCharString(UErrorCode &status) {
21 // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?).
22 if (fDecimalQuantity->isZero()) {
23 fDecimalStr->append("0", -1, status);
24- } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) {
25+ } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) {
26 fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status);
27 } else {
28 fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status);
29diff --git a/i18n/number_decimalquantity.cpp b/i18n/number_decimalquantity.cpp
30index 47b930a564b..d5dd7ae694c 100644
31--- a/i18n/number_decimalquantity.cpp
32+++ b/i18n/number_decimalquantity.cpp
33@@ -898,7 +898,10 @@ UnicodeString DecimalQuantity::toScientificString() const {
34 }
35 result.append(u'E');
36 int32_t _scale = upperPos + scale;
37- if (_scale < 0) {
38+ if (_scale == INT32_MIN) {
39+ result.append({u"-2147483648", -1});
40+ return result;
41+ } else if (_scale < 0) {
42 _scale *= -1;
43 result.append(u'-');
44 } else {
45diff --git a/test/intltest/numfmtst.cpp b/test/intltest/numfmtst.cpp
46index 34355939113..8d52dc122bf 100644
47--- a/test/intltest/numfmtst.cpp
48+++ b/test/intltest/numfmtst.cpp
49@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_ScientificIntegerOverflow() {
50 assertEquals(u"Should not overflow and should parse only the first exponent",
51 u"1E-2147483647",
52 {sp.data(), sp.length(), US_INV});
53+
54+ // Test edge case overflow of exponent
55+ result = Formattable();
56+ nf->parse(u".0003e-2147483644", result, status);
57+ sp = result.getDecimalNumber(status);
58+ assertEquals(u"Should not overflow",
59+ u"3E-2147483648",
60+ {sp.data(), sp.length(), US_INV});
61 }
62
63 void NumberFormatTest::Test13840_ParseLongStringCrash() {
diff --git a/meta/recipes-support/icu/icu_63.1.bb b/meta/recipes-support/icu/icu_63.1.bb
index e593dc1bdb..961f022ad7 100644
--- a/meta/recipes-support/icu/icu_63.1.bb
+++ b/meta/recipes-support/icu/icu_63.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "${BASE_SRC_URI} \
17 file://icu-pkgdata-large-cmd.patch \ 17 file://icu-pkgdata-large-cmd.patch \
18 file://fix-install-manx.patch \ 18 file://fix-install-manx.patch \
19 file://0002-Add-ARC-support.patch \ 19 file://0002-Add-ARC-support.patch \
20 file://CVE-2018-18928.patch \
20 " 21 "
21 22
22SRC_URI_append_class-target = "\ 23SRC_URI_append_class-target = "\