icu: fix CVE-2020-10531

(From OE-Core rev: 76f53b383b17f0cc568201843e8dac8690791495) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2020-03-20 08:37:11 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-03-30 17:41:55 +0100
commit: 02299147d9473e636a21ff2dd6de0be10c60b9a7 (patch)
tree: b607ca27227b8ea192d9fb31a453141106366ed6 /meta
parent: f9ef210967ab34168d4a24930987dc0731baf56f (diff)
download: poky-02299147d9473e636a21ff2dd6de0be10c60b9a7.tar.gz
2 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-support/icu/icu/CVE-2020-10531.patch b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
new file mode 100644
index 0000000000..56303fc0f2
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
@@ -0,0 +1,122 @@
+From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Sat, 1 Feb 2020 02:39:04 +0000
+Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
+See #971
+Upstream-Status: Backport [https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca]
+CVE: CVE-2020-10531
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ icu4c/source/common/unistr.cpp          |  6 ++-
+ icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++
+ icu4c/source/test/intltest/ustrtest.h   |  1 +
+ 3 files changed, 68 insertions(+), 1 deletion(-)
+diff --git a/icu4c/source/common/unistr.cpp b/icu4c/source/common/unistr.cpp
+index 901bb3358ba..077b4d6ef20 100644
+--- a/icu4c/source/common/unistr.cpp
+++ b/icu4c/source/common/unistr.cpp
+@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+   }
+ 
+   int32_t oldLength = length();
+-  int32_t newLength = oldLength + srcLength;
+  int32_t newLength;
+  if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
+    setToBogus();
+    return *this;
+  }
+ 
+   // Check for append onto ourself
+   const UChar* oldArray = getArrayStart();
+diff --git a/icu4c/source/test/intltest/ustrtest.cpp b/icu4c/source/test/intltest/ustrtest.cpp
+index b6515ea813c..ad38bdf53a3 100644
+--- a/icu4c/source/test/intltest/ustrtest.cpp
+++ b/icu4c/source/test/intltest/ustrtest.cpp
+@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
+     TESTCASE_AUTO(TestWCharPointers);
+     TESTCASE_AUTO(TestNullPointers);
+     TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
+    TESTCASE_AUTO(TestLargeAppend);
+     TESTCASE_AUTO_END;
+ }
+ 
+@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
+     str.insert(2, sub);
+     assertEquals("", u"abbcdcde", str);
+ }
+
+void UnicodeStringTest::TestLargeAppend() {
+    if(quick) return;
+
+    IcuTestErrorCode status(*this, "TestLargeAppend");
+    // Make a large UnicodeString
+    int32_t len = 0xAFFFFFF;
+    UnicodeString str;
+    char16_t *buf = str.getBuffer(len);
+    // A fast way to set buffer to valid Unicode.
+    // 4E4E is a valid unicode character
+    uprv_memset(buf, 0x4e, len * 2);
+    str.releaseBuffer(len);
+    UnicodeString dest;
+    // Append it 16 times
+    // 0xAFFFFFF times 16 is 0xA4FFFFF1,
+    // which is greater than INT32_MAX, which is 0x7FFFFFFF.
+    int64_t total = 0;
+    for (int32_t i = 0; i < 16; i++) {
+        dest.append(str);
+        total += len;
+        if (total <= INT32_MAX) {
+            assertFalse("dest is not bogus", dest.isBogus());
+        } else {
+            assertTrue("dest should be bogus", dest.isBogus());
+        }
+    }
+    dest.remove();
+    total = 0;
+    for (int32_t i = 0; i < 16; i++) {
+        dest.append(str);
+        total += len;
+        if (total + len <= INT32_MAX) {
+            assertFalse("dest is not bogus", dest.isBogus());
+        } else if (total <= INT32_MAX) {
+            // Check that a string of exactly the maximum size works
+            UnicodeString str2;
+            int32_t remain = INT32_MAX - total;
+            char16_t *buf2 = str2.getBuffer(remain);
+            if (buf2 == nullptr) {
+                // if somehow memory allocation fail, return the test
+                return;
+            }
+            uprv_memset(buf2, 0x4e, remain * 2);
+            str2.releaseBuffer(remain);
+            dest.append(str2);
+            total += remain;
+            assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
+            assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
+            assertFalse("dest is not bogus", dest.isBogus());
+
+            // Check that a string size+1 goes bogus
+            str2.truncate(1);
+            dest.append(str2);
+            total++;
+            assertTrue("dest should be bogus", dest.isBogus());
+        } else {
+            assertTrue("dest should be bogus", dest.isBogus());
+        }
+    }
+}
+diff --git a/icu4c/source/test/intltest/ustrtest.h b/icu4c/source/test/intltest/ustrtest.h
+index 218befdcc68..4a356a92c7a 100644
+--- a/icu4c/source/test/intltest/ustrtest.h
+++ b/icu4c/source/test/intltest/ustrtest.h
+@@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest {
+     void TestWCharPointers();
+     void TestNullPointers();
+     void TestUnicodeStringInsertAppendToSelf();
+    void TestLargeAppend();
+ };
+ 
+ #endif
diff --git a/meta/recipes-support/icu/icu_64.2.bb b/meta/recipes-support/icu/icu_64.2.bb
index 10bac7aac0..2ed807787d 100644
--- a/meta/recipes-support/icu/icu_64.2.bb
+++ b/meta/recipes-support/icu/icu_64.2.bb
@@ -18,6 +18,7 @@ SRC_URI = "${BASE_SRC_URI} \
           file://fix-install-manx.patch \
           file://0001-Fix-big-endian-build.patch \
           file://0001-icu-Added-armeb-support.patch \
+           file://CVE-2020-10531.patch;striplevel=3 \
           "
 SRC_URI_append_class-target = "\
author	Anuj Mittal <anuj.mittal@intel.com>	2020-03-20 08:37:11 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-03-30 17:41:55 +0100
commit	02299147d9473e636a21ff2dd6de0be10c60b9a7 (patch)
tree	b607ca27227b8ea192d9fb31a453141106366ed6 /meta
parent	f9ef210967ab34168d4a24930987dc0731baf56f (diff)
download	poky-02299147d9473e636a21ff2dd6de0be10c60b9a7.tar.gz

diff --git a/meta/recipes-support/icu/icu/CVE-2020-10531.patch b/meta/recipes-support/icu/icu/CVE-2020-10531.patch new file mode 100644 index 0000000000..56303fc0f2 --- /dev/null +++ b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
@@ -0,0 +1,122 @@
		1	From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
		2	From: Frank Tang <ftang@chromium.org>
		3	Date: Sat, 1 Feb 2020 02:39:04 +0000
		4	Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
		5
		6	See #971
		7
		8	Upstream-Status: Backport [https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca]
		9	CVE: CVE-2020-10531
		10	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		11	---
		12	icu4c/source/common/unistr.cpp \| 6 ++-
		13	icu4c/source/test/intltest/ustrtest.cpp \| 62 +++++++++++++++++++++++++
		14	icu4c/source/test/intltest/ustrtest.h \| 1 +
		15	3 files changed, 68 insertions(+), 1 deletion(-)
		16
		17	diff --git a/icu4c/source/common/unistr.cpp b/icu4c/source/common/unistr.cpp
		18	index 901bb3358ba..077b4d6ef20 100644
		19	--- a/icu4c/source/common/unistr.cpp
		20	+++ b/icu4c/source/common/unistr.cpp
		21	@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
		22	}
		23
		24	int32_t oldLength = length();
		25	- int32_t newLength = oldLength + srcLength;
		26	+ int32_t newLength;
		27	+ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
		28	+ setToBogus();
		29	+ return *this;
		30	+ }
		31
		32	// Check for append onto ourself
		33	const UChar* oldArray = getArrayStart();
		34	diff --git a/icu4c/source/test/intltest/ustrtest.cpp b/icu4c/source/test/intltest/ustrtest.cpp
		35	index b6515ea813c..ad38bdf53a3 100644
		36	--- a/icu4c/source/test/intltest/ustrtest.cpp
		37	+++ b/icu4c/source/test/intltest/ustrtest.cpp
		38	@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
		39	TESTCASE_AUTO(TestWCharPointers);
		40	TESTCASE_AUTO(TestNullPointers);
		41	TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
		42	+ TESTCASE_AUTO(TestLargeAppend);
		43	TESTCASE_AUTO_END;
		44	}
		45
		46	@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
		47	str.insert(2, sub);
		48	assertEquals("", u"abbcdcde", str);
		49	}
		50	+
		51	+void UnicodeStringTest::TestLargeAppend() {
		52	+ if(quick) return;
		53	+
		54	+ IcuTestErrorCode status(*this, "TestLargeAppend");
		55	+ // Make a large UnicodeString
		56	+ int32_t len = 0xAFFFFFF;
		57	+ UnicodeString str;
		58	+ char16_t *buf = str.getBuffer(len);
		59	+ // A fast way to set buffer to valid Unicode.
		60	+ // 4E4E is a valid unicode character
		61	+ uprv_memset(buf, 0x4e, len * 2);
		62	+ str.releaseBuffer(len);
		63	+ UnicodeString dest;
		64	+ // Append it 16 times
		65	+ // 0xAFFFFFF times 16 is 0xA4FFFFF1,
		66	+ // which is greater than INT32_MAX, which is 0x7FFFFFFF.
		67	+ int64_t total = 0;
		68	+ for (int32_t i = 0; i < 16; i++) {
		69	+ dest.append(str);
		70	+ total += len;
		71	+ if (total <= INT32_MAX) {
		72	+ assertFalse("dest is not bogus", dest.isBogus());
		73	+ } else {
		74	+ assertTrue("dest should be bogus", dest.isBogus());
		75	+ }
		76	+ }
		77	+ dest.remove();
		78	+ total = 0;
		79	+ for (int32_t i = 0; i < 16; i++) {
		80	+ dest.append(str);
		81	+ total += len;
		82	+ if (total + len <= INT32_MAX) {
		83	+ assertFalse("dest is not bogus", dest.isBogus());
		84	+ } else if (total <= INT32_MAX) {
		85	+ // Check that a string of exactly the maximum size works
		86	+ UnicodeString str2;
		87	+ int32_t remain = INT32_MAX - total;
		88	+ char16_t *buf2 = str2.getBuffer(remain);
		89	+ if (buf2 == nullptr) {
		90	+ // if somehow memory allocation fail, return the test
		91	+ return;
		92	+ }
		93	+ uprv_memset(buf2, 0x4e, remain * 2);
		94	+ str2.releaseBuffer(remain);
		95	+ dest.append(str2);
		96	+ total += remain;
		97	+ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
		98	+ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
		99	+ assertFalse("dest is not bogus", dest.isBogus());
		100	+
		101	+ // Check that a string size+1 goes bogus
		102	+ str2.truncate(1);
		103	+ dest.append(str2);
		104	+ total++;
		105	+ assertTrue("dest should be bogus", dest.isBogus());
		106	+ } else {
		107	+ assertTrue("dest should be bogus", dest.isBogus());
		108	+ }
		109	+ }
		110	+}
		111	diff --git a/icu4c/source/test/intltest/ustrtest.h b/icu4c/source/test/intltest/ustrtest.h
		112	index 218befdcc68..4a356a92c7a 100644
		113	--- a/icu4c/source/test/intltest/ustrtest.h
		114	+++ b/icu4c/source/test/intltest/ustrtest.h
		115	@@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest {
		116	void TestWCharPointers();
		117	void TestNullPointers();
		118	void TestUnicodeStringInsertAppendToSelf();
		119	+ void TestLargeAppend();
		120	};
		121
		122	#endif


diff --git a/meta/recipes-support/icu/icu_64.2.bb b/meta/recipes-support/icu/icu_64.2.bb index 10bac7aac0..2ed807787d 100644 --- a/meta/recipes-support/icu/icu_64.2.bb +++ b/meta/recipes-support/icu/icu_64.2.bb
@@ -18,6 +18,7 @@ SRC_URI = "${BASE_SRC_URI} \
18	file://fix-install-manx.patch \	18	file://fix-install-manx.patch \
19	file://0001-Fix-big-endian-build.patch \	19	file://0001-Fix-big-endian-build.patch \
20	file://0001-icu-Added-armeb-support.patch \	20	file://0001-icu-Added-armeb-support.patch \
		21	file://CVE-2020-10531.patch;striplevel=3 \
21	"	22	"
22		23
23	SRC_URI_append_class-target = "\	24	SRC_URI_append_class-target = "\