icu: CVE-2013-2924

Use-after-free vulnerability in International Components for Unicode (ICU), as used in Google Chrome before 30.0.1599.66 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2924 (From OE-Core rev: 36e2981687acc5b7a74f08718d4578f92af4dc8b) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yue Tao <Yue.Tao@windriver.com> 2013-12-05 17:52:19 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2013-12-10 17:42:46 +0000
commit: c66ff8bb8f4cdd6346a33b37599b67bbc77f1c8c (patch)
tree: 8089976f211946110155d9b7a05e94d594efcf64 /meta/recipes-support
parent: 42cb2c968b994715532a3c5fde68c8638526b3bf (diff)
download: poky-c66ff8bb8f4cdd6346a33b37599b67bbc77f1c8c.tar.gz
2 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch b/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch
new file mode 100644
index 0000000000..ad4d61c3ea
--- /dev/null
+++ b/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch
@@ -0,0 +1,33 @@
+--- source/i18n/csrucode.cpp
+++ source/i18n/csrucode.cpp
+@@ -33,8 +33,9 @@ UBool CharsetRecog_UTF_16_BE::match(Inpu
+ {
+     const uint8_t *input = textIn->fRawInput;
+     int32_t confidence = 0;
+    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFE && input[1] == 0xFF) {
+    if (length >=2 && input[0] == 0xFE && input[1] == 0xFF) {
+         confidence = 100;
+     }
+ 
+@@ -57,8 +58,9 @@ UBool CharsetRecog_UTF_16_LE::match(Inpu
+ {
+     const uint8_t *input = textIn->fRawInput;
+     int32_t confidence = 0;
+    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
+    if (length >= 4 && input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
+         confidence = 100;
+     }
+ 
+@@ -81,7 +83,7 @@ UBool CharsetRecog_UTF_32::match(InputTe
+     bool hasBOM = FALSE;
+     int32_t confidence = 0;
+ 
+-    if (getChar(input, 0) == 0x0000FEFFUL) {
+    if (limit > 0 && getChar(input, 0) == 0x0000FEFFUL) {
+         hasBOM = TRUE;
+     }
+ 
diff --git a/meta/recipes-support/icu/icu_51.2.bb b/meta/recipes-support/icu/icu_51.2.bb
index aca3ea5aea..aabe07b841 100644
--- a/meta/recipes-support/icu/icu_51.2.bb
+++ b/meta/recipes-support/icu/icu_51.2.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://../license.html;md5=443a74288a72fad9069a74e7637192c1"
 BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-51_2-src.tgz"
 SRC_URI = "${BASE_SRC_URI} \
           file://icu-pkgdata-large-cmd.patch \
+           file://add_buffer_length_check_to_UTF_16_or_32_detector.patch \
          "
 SRC_URI[md5sum] = "072e501b87065f3a0ca888f1b5165709"
author	Yue Tao <Yue.Tao@windriver.com>	2013-12-05 17:52:19 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2013-12-10 17:42:46 +0000
commit	c66ff8bb8f4cdd6346a33b37599b67bbc77f1c8c (patch)
tree	8089976f211946110155d9b7a05e94d594efcf64 /meta/recipes-support
parent	42cb2c968b994715532a3c5fde68c8638526b3bf (diff)
download	poky-c66ff8bb8f4cdd6346a33b37599b67bbc77f1c8c.tar.gz

diff --git a/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch b/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch new file mode 100644 index 0000000000..ad4d61c3ea --- /dev/null +++ b/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch
@@ -0,0 +1,33 @@
		1	--- source/i18n/csrucode.cpp
		2	+++ source/i18n/csrucode.cpp
		3	@@ -33,8 +33,9 @@ UBool CharsetRecog_UTF_16_BE::match(Inpu
		4	{
		5	const uint8_t *input = textIn->fRawInput;
		6	int32_t confidence = 0;
		7	+ int32_t length = textIn->fRawLength;
		8
		9	- if (input[0] == 0xFE && input[1] == 0xFF) {
		10	+ if (length >=2 && input[0] == 0xFE && input[1] == 0xFF) {
		11	confidence = 100;
		12	}
		13
		14	@@ -57,8 +58,9 @@ UBool CharsetRecog_UTF_16_LE::match(Inpu
		15	{
		16	const uint8_t *input = textIn->fRawInput;
		17	int32_t confidence = 0;
		18	+ int32_t length = textIn->fRawLength;
		19
		20	- if (input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 \|\| input[3] != 0x00)) {
		21	+ if (length >= 4 && input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 \|\| input[3] != 0x00)) {
		22	confidence = 100;
		23	}
		24
		25	@@ -81,7 +83,7 @@ UBool CharsetRecog_UTF_32::match(InputTe
		26	bool hasBOM = FALSE;
		27	int32_t confidence = 0;
		28
		29	- if (getChar(input, 0) == 0x0000FEFFUL) {
		30	+ if (limit > 0 && getChar(input, 0) == 0x0000FEFFUL) {
		31	hasBOM = TRUE;
		32	}
		33


diff --git a/meta/recipes-support/icu/icu_51.2.bb b/meta/recipes-support/icu/icu_51.2.bb index aca3ea5aea..aabe07b841 100644 --- a/meta/recipes-support/icu/icu_51.2.bb +++ b/meta/recipes-support/icu/icu_51.2.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://../license.html;md5=443a74288a72fad9069a74e7637192c1"
6	BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-51_2-src.tgz"	6	BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-51_2-src.tgz"
7	SRC_URI = "${BASE_SRC_URI} \	7	SRC_URI = "${BASE_SRC_URI} \
8	file://icu-pkgdata-large-cmd.patch \	8	file://icu-pkgdata-large-cmd.patch \
		9	file://add_buffer_length_check_to_UTF_16_or_32_detector.patch \
9	"	10	"
10		11
11	SRC_URI[md5sum] = "072e501b87065f3a0ca888f1b5165709"	12	SRC_URI[md5sum] = "072e501b87065f3a0ca888f1b5165709"