blob: cf32d13ce50e6522975eca7e98cff0cc5a24da3c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
ICU: CVE-2014-8146-CVE-2014-8147
CVE-2014-8146 icu: heap overflow via incorrect isolateCount
CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function
References:
[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
[2] https://www.kb.cert.org/vuls/id/602540
[3] http://bugs.icu-project.org/trac/changeset/37080
[4] http://bugs.icu-project.org/trac/changeset/37162
Upstream-Status: Backport
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
diff -ruN a/common/ubidi.c b/common/ubidi.c
--- a/common/ubidi.c 2014-10-03 18:11:20.000000000 +0200
+++ b/common/ubidi.c 2015-08-28 08:22:39.455906194 +0200
@@ -2138,7 +2138,7 @@
/* The isolates[] entries contain enough information to
resume the bidi algorithm in the same state as it was
when it was interrupted by an isolate sequence. */
- if(dirProps[start]==PDI) {
+ if(dirProps[start]==PDI && pBiDi->isolateCount >= 0) {
levState.startON=pBiDi->isolates[pBiDi->isolateCount].startON;
start1=pBiDi->isolates[pBiDi->isolateCount].start1;
stateImp=pBiDi->isolates[pBiDi->isolateCount].stateImp;
diff -ruN a/common/ubidiimp.h b/common/ubidiimp.h
--- a/common/ubidiimp.h 2014-10-03 18:11:16.000000000 +0200
+++ b/common/ubidiimp.h 2015-08-28 08:28:24.069163845 +0200
@@ -1,7 +1,7 @@
/*
******************************************************************************
*
-* Copyright (C) 1999-2014, International Business Machines
+* Copyright (C) 1999-2015, International Business Machines
* Corporation and others. All Rights Reserved.
*
******************************************************************************
@@ -184,8 +184,8 @@
typedef struct Isolate {
int32_t startON;
int32_t start1;
+ int32_t state;
int16_t stateImp;
- int16_t state;
} Isolate;
typedef struct Run {
|