Patchwork [6/6,dora] icu: CVE-2013-2924

login
register
mail settings
Submitter Mark Hatle
Date Dec. 5, 2013, 11:01 p.m.
Message ID <c361bdb11fd25302bcef078ead3737ff2d3af7d4.1386284385.git.mark.hatle@windriver.com>
Download mbox | patch
Permalink /patch/62961/
State Accepted
Commit c66ff8bb8f4cdd6346a33b37599b67bbc77f1c8c
Headers show

Comments

Mark Hatle - Dec. 5, 2013, 11:01 p.m.
From: Yue Tao <Yue.Tao@windriver.com>

Use-after-free vulnerability in International Components for Unicode (ICU),
as used in Google Chrome before 30.0.1599.66 and other products, allows
remote attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2924

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 ...fer_length_check_to_UTF_16_or_32_detector.patch | 33 ++++++++++++++++++++++
 meta/recipes-support/icu/icu_51.2.bb               |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch

Patch

diff --git a/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch b/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch
new file mode 100644
index 0000000..ad4d61c
--- /dev/null
+++ b/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch
@@ -0,0 +1,33 @@ 
+--- source/i18n/csrucode.cpp
++++ source/i18n/csrucode.cpp
+@@ -33,8 +33,9 @@ UBool CharsetRecog_UTF_16_BE::match(Inpu
+ {
+     const uint8_t *input = textIn->fRawInput;
+     int32_t confidence = 0;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFE && input[1] == 0xFF) {
++    if (length >=2 && input[0] == 0xFE && input[1] == 0xFF) {
+         confidence = 100;
+     }
+ 
+@@ -57,8 +58,9 @@ UBool CharsetRecog_UTF_16_LE::match(Inpu
+ {
+     const uint8_t *input = textIn->fRawInput;
+     int32_t confidence = 0;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
++    if (length >= 4 && input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
+         confidence = 100;
+     }
+ 
+@@ -81,7 +83,7 @@ UBool CharsetRecog_UTF_32::match(InputTe
+     bool hasBOM = FALSE;
+     int32_t confidence = 0;
+ 
+-    if (getChar(input, 0) == 0x0000FEFFUL) {
++    if (limit > 0 && getChar(input, 0) == 0x0000FEFFUL) {
+         hasBOM = TRUE;
+     }
+ 
diff --git a/meta/recipes-support/icu/icu_51.2.bb b/meta/recipes-support/icu/icu_51.2.bb
index 1278d22..7c7d214 100644
--- a/meta/recipes-support/icu/icu_51.2.bb
+++ b/meta/recipes-support/icu/icu_51.2.bb
@@ -7,6 +7,7 @@  PR = "r0"
 BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-51_2-src.tgz"
 SRC_URI = "${BASE_SRC_URI} \
            file://icu-pkgdata-large-cmd.patch \
+           file://add_buffer_length_check_to_UTF_16_or_32_detector.patch \
           "
 
 SRC_URI[md5sum] = "072e501b87065f3a0ca888f1b5165709"