diff options
author | Yue Tao <Yue.Tao@windriver.com> | 2013-12-05 17:52:19 -0600 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-02-09 11:04:14 +0000 |
commit | 6757c59442169d274ab6057f543e3ea45bfb4fcd (patch) | |
tree | 480a25a247d28e1f0b5235ede7fb4a43c18f2cad /meta | |
parent | d426450b0be3b7d0181c0332b15a214ef4aa9aab (diff) | |
download | poky-6757c59442169d274ab6057f543e3ea45bfb4fcd.tar.gz |
icu: CVE-2013-2924
Use-after-free vulnerability in International Components for Unicode (ICU),
as used in Google Chrome before 30.0.1599.66 and other products, allows
remote attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2924
(From OE-Core master rev: 36e2981687acc5b7a74f08718d4578f92af4dc8b)
(From OE-Core rev: ab2d452fd9e177017c57d411ebb61728845f97bf)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch | 33 | ||||
-rw-r--r-- | meta/recipes-support/icu/icu_51.2.bb | 1 |
2 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch b/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch new file mode 100644 index 0000000000..ad4d61c3ea --- /dev/null +++ b/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | --- source/i18n/csrucode.cpp | ||
2 | +++ source/i18n/csrucode.cpp | ||
3 | @@ -33,8 +33,9 @@ UBool CharsetRecog_UTF_16_BE::match(Inpu | ||
4 | { | ||
5 | const uint8_t *input = textIn->fRawInput; | ||
6 | int32_t confidence = 0; | ||
7 | + int32_t length = textIn->fRawLength; | ||
8 | |||
9 | - if (input[0] == 0xFE && input[1] == 0xFF) { | ||
10 | + if (length >=2 && input[0] == 0xFE && input[1] == 0xFF) { | ||
11 | confidence = 100; | ||
12 | } | ||
13 | |||
14 | @@ -57,8 +58,9 @@ UBool CharsetRecog_UTF_16_LE::match(Inpu | ||
15 | { | ||
16 | const uint8_t *input = textIn->fRawInput; | ||
17 | int32_t confidence = 0; | ||
18 | + int32_t length = textIn->fRawLength; | ||
19 | |||
20 | - if (input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) { | ||
21 | + if (length >= 4 && input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) { | ||
22 | confidence = 100; | ||
23 | } | ||
24 | |||
25 | @@ -81,7 +83,7 @@ UBool CharsetRecog_UTF_32::match(InputTe | ||
26 | bool hasBOM = FALSE; | ||
27 | int32_t confidence = 0; | ||
28 | |||
29 | - if (getChar(input, 0) == 0x0000FEFFUL) { | ||
30 | + if (limit > 0 && getChar(input, 0) == 0x0000FEFFUL) { | ||
31 | hasBOM = TRUE; | ||
32 | } | ||
33 | |||
diff --git a/meta/recipes-support/icu/icu_51.2.bb b/meta/recipes-support/icu/icu_51.2.bb index 1278d22a80..7c7d2143d7 100644 --- a/meta/recipes-support/icu/icu_51.2.bb +++ b/meta/recipes-support/icu/icu_51.2.bb | |||
@@ -7,6 +7,7 @@ PR = "r0" | |||
7 | BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-51_2-src.tgz" | 7 | BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-51_2-src.tgz" |
8 | SRC_URI = "${BASE_SRC_URI} \ | 8 | SRC_URI = "${BASE_SRC_URI} \ |
9 | file://icu-pkgdata-large-cmd.patch \ | 9 | file://icu-pkgdata-large-cmd.patch \ |
10 | file://add_buffer_length_check_to_UTF_16_or_32_detector.patch \ | ||
10 | " | 11 | " |
11 | 12 | ||
12 | SRC_URI[md5sum] = "072e501b87065f3a0ca888f1b5165709" | 13 | SRC_URI[md5sum] = "072e501b87065f3a0ca888f1b5165709" |