icu: fix CVE-2018-18928

(From OE-Core rev: 0b3f5e3cb90612c24f30ae8a50ed926492ce2e35) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2019-03-05 16:30:00 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-03-06 10:39:25 +0000
commit: 9fa4bf280df8c42056eba001490c54a6580328cd (patch)
tree: a76f53489fd5851e9862016734cf181bcd52e282
parent: 1cbf28ba2c17f32a63da5f0545994e477c1e8c5a (diff)
download: poky-9fa4bf280df8c42056eba001490c54a6580328cd.tar.gz
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-support/icu/icu/CVE-2018-18928.patch b/meta/recipes-support/icu/icu/CVE-2018-18928.patch
new file mode 100644
index 0000000000..19c50e4e76
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2018-18928.patch
@@ -0,0 +1,63 @@
+CVE: CVE-2018-18928
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 53d8c8f3d181d87a6aa925b449b51c4a2c922a51 Mon Sep 17 00:00:00 2001
+From: Shane Carr <shane@unicode.org>
+Date: Mon, 29 Oct 2018 23:52:44 -0700
+Subject: [PATCH] ICU-20246 Fixing another integer overflow in number parsing.
+---
+ i18n/fmtable.cpp                          |  2 +-
+ i18n/number_decimalquantity.cpp           |  5 ++++-
+ test/intltest/numfmtst.cpp                |  8 ++++++++
+ 6 files changed, 31 insertions(+), 4 deletions(-)
+diff --git a/i18n/fmtable.cpp b/i18n/fmtable.cpp
+index 45c7024fc29..8601d95f4a6 100644
+--- a/i18n/fmtable.cpp
+++ b/i18n/fmtable.cpp
+@@ -734,7 +734,7 @@ CharString *Formattable::internalGetCharString(UErrorCode &status) {
+       // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?).
+       if (fDecimalQuantity->isZero()) {
+         fDecimalStr->append("0", -1, status);
+-      } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) {
+      } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) {
+         fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status);
+       } else {
+         fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status);
+diff --git a/i18n/number_decimalquantity.cpp b/i18n/number_decimalquantity.cpp
+index 47b930a564b..d5dd7ae694c 100644
+--- a/i18n/number_decimalquantity.cpp
+++ b/i18n/number_decimalquantity.cpp
+@@ -898,7 +898,10 @@ UnicodeString DecimalQuantity::toScientificString() const {
+     }
+     result.append(u'E');
+     int32_t _scale = upperPos + scale;
+-    if (_scale < 0) {
+    if (_scale == INT32_MIN) {
+        result.append({u"-2147483648", -1});
+        return result;
+    } else if (_scale < 0) {
+         _scale *= -1;
+         result.append(u'-');
+     } else {
+diff --git a/test/intltest/numfmtst.cpp b/test/intltest/numfmtst.cpp
+index 34355939113..8d52dc122bf 100644
+--- a/test/intltest/numfmtst.cpp
+++ b/test/intltest/numfmtst.cpp
+@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_ScientificIntegerOverflow() {
+     assertEquals(u"Should not overflow and should parse only the first exponent",
+                  u"1E-2147483647",
+                  {sp.data(), sp.length(), US_INV});
+
+    // Test edge case overflow of exponent
+    result = Formattable();
+    nf->parse(u".0003e-2147483644", result, status);
+    sp = result.getDecimalNumber(status);
+    assertEquals(u"Should not overflow",
+                 u"3E-2147483648",
+                 {sp.data(), sp.length(), US_INV});
+ }
+ 
+ void NumberFormatTest::Test13840_ParseLongStringCrash() {
diff --git a/meta/recipes-support/icu/icu_63.1.bb b/meta/recipes-support/icu/icu_63.1.bb
index e593dc1bdb..961f022ad7 100644
--- a/meta/recipes-support/icu/icu_63.1.bb
+++ b/meta/recipes-support/icu/icu_63.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "${BASE_SRC_URI} \
           file://icu-pkgdata-large-cmd.patch \
           file://fix-install-manx.patch \
           file://0002-Add-ARC-support.patch \
+           file://CVE-2018-18928.patch \
           "
 SRC_URI_append_class-target = "\
author	Ross Burton <ross.burton@intel.com>	2019-03-05 16:30:00 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-03-06 10:39:25 +0000
commit	9fa4bf280df8c42056eba001490c54a6580328cd (patch)
tree	a76f53489fd5851e9862016734cf181bcd52e282
parent	1cbf28ba2c17f32a63da5f0545994e477c1e8c5a (diff)
download	poky-9fa4bf280df8c42056eba001490c54a6580328cd.tar.gz

diff --git a/meta/recipes-support/icu/icu/CVE-2018-18928.patch b/meta/recipes-support/icu/icu/CVE-2018-18928.patch new file mode 100644 index 0000000000..19c50e4e76 --- /dev/null +++ b/meta/recipes-support/icu/icu/CVE-2018-18928.patch
@@ -0,0 +1,63 @@
		1	CVE: CVE-2018-18928
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@intel.com>
		4
		5	From 53d8c8f3d181d87a6aa925b449b51c4a2c922a51 Mon Sep 17 00:00:00 2001
		6	From: Shane Carr <shane@unicode.org>
		7	Date: Mon, 29 Oct 2018 23:52:44 -0700
		8	Subject: [PATCH] ICU-20246 Fixing another integer overflow in number parsing.
		9
		10	---
		11	i18n/fmtable.cpp \| 2 +-
		12	i18n/number_decimalquantity.cpp \| 5 ++++-
		13	test/intltest/numfmtst.cpp \| 8 ++++++++
		14	6 files changed, 31 insertions(+), 4 deletions(-)
		15
		16	diff --git a/i18n/fmtable.cpp b/i18n/fmtable.cpp
		17	index 45c7024fc29..8601d95f4a6 100644
		18	--- a/i18n/fmtable.cpp
		19	+++ b/i18n/fmtable.cpp
		20	@@ -734,7 +734,7 @@ CharString *Formattable::internalGetCharString(UErrorCode &status) {
		21	// not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?).
		22	if (fDecimalQuantity->isZero()) {
		23	fDecimalStr->append("0", -1, status);
		24	- } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) {
		25	+ } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) {
		26	fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status);
		27	} else {
		28	fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status);
		29	diff --git a/i18n/number_decimalquantity.cpp b/i18n/number_decimalquantity.cpp
		30	index 47b930a564b..d5dd7ae694c 100644
		31	--- a/i18n/number_decimalquantity.cpp
		32	+++ b/i18n/number_decimalquantity.cpp
		33	@@ -898,7 +898,10 @@ UnicodeString DecimalQuantity::toScientificString() const {
		34	}
		35	result.append(u'E');
		36	int32_t _scale = upperPos + scale;
		37	- if (_scale < 0) {
		38	+ if (_scale == INT32_MIN) {
		39	+ result.append({u"-2147483648", -1});
		40	+ return result;
		41	+ } else if (_scale < 0) {
		42	_scale *= -1;
		43	result.append(u'-');
		44	} else {
		45	diff --git a/test/intltest/numfmtst.cpp b/test/intltest/numfmtst.cpp
		46	index 34355939113..8d52dc122bf 100644
		47	--- a/test/intltest/numfmtst.cpp
		48	+++ b/test/intltest/numfmtst.cpp
		49	@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_ScientificIntegerOverflow() {
		50	assertEquals(u"Should not overflow and should parse only the first exponent",
		51	u"1E-2147483647",
		52	{sp.data(), sp.length(), US_INV});
		53	+
		54	+ // Test edge case overflow of exponent
		55	+ result = Formattable();
		56	+ nf->parse(u".0003e-2147483644", result, status);
		57	+ sp = result.getDecimalNumber(status);
		58	+ assertEquals(u"Should not overflow",
		59	+ u"3E-2147483648",
		60	+ {sp.data(), sp.length(), US_INV});
		61	}
		62
		63	void NumberFormatTest::Test13840_ParseLongStringCrash() {


diff --git a/meta/recipes-support/icu/icu_63.1.bb b/meta/recipes-support/icu/icu_63.1.bb index e593dc1bdb..961f022ad7 100644 --- a/meta/recipes-support/icu/icu_63.1.bb +++ b/meta/recipes-support/icu/icu_63.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "${BASE_SRC_URI} \
17	file://icu-pkgdata-large-cmd.patch \	17	file://icu-pkgdata-large-cmd.patch \
18	file://fix-install-manx.patch \	18	file://fix-install-manx.patch \
19	file://0002-Add-ARC-support.patch \	19	file://0002-Add-ARC-support.patch \
		20	file://CVE-2018-18928.patch \
20	"	21	"
21		22
22	SRC_URI_append_class-target = "\	23	SRC_URI_append_class-target = "\