fix CVE-2020-10531

2020-03-20 14:47:25 +08:00 · 2020-03-20 14:47:25 +08:00 · 69a3df3a08
commit 69a3df3a08
parent cd130cb4bd
2 changed files with 119 additions and 1 deletions
--- a/CVE-2020-10531.patch
+++ b/CVE-2020-10531.patch
@ -0,0 +1,114 @@
 Backported of:
 From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
 From: Frank Tang <ftang@chromium.org>
 Date: Sat, 1 Feb 2020 02:39:04 +0000
 Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
 See #971
 diff --git a/source/common/unistr.cpp b/source/common/unistr.cpp
 index 1bfb71a..e8a7f12 100644
 --- a/source/common/unistr.cpp
 +++ b/source/common/unistr.cpp
@@ -1546,7 +1557,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
   }
   int32_t oldLength = length();
 -  int32_t newLength = oldLength + srcLength;
 +  int32_t newLength;
 +  if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
 +    setToBogus();
 +    return *this;
 +  }
   // optimize append() onto a large-enough, owned string
   if((newLength <= getCapacity() && isBufferWritable()) ||
       cloneArrayIfNeeded(newLength, getGrowCapacity(newLength))) {
 diff --git a/source/test/intltest/ustrtest.cpp b/source/test/intltest/ustrtest.cpp
 index b361e20..9b613d3 100644
 --- a/source/test/intltest/ustrtest.cpp
 +++ b/source/test/intltest/ustrtest.cpp
@@ -64,6 +64,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
     TESTCASE_AUTO(TestUInt16Pointers);
     TESTCASE_AUTO(TestWCharPointers);
     TESTCASE_AUTO(TestNullPointers);
 +    TESTCASE_AUTO(TestLargeAppend);
     TESTCASE_AUTO_END;
 }
@@ -2253,3 +2254,64 @@ UnicodeStringTest::TestNullPointers() {
     UnicodeString(u"def").extract(nullptr, 0, errorCode);
     assertEquals("buffer overflow extracting to nullptr", U_BUFFER_OVERFLOW_ERROR, errorCode);
 }
 +
 +void UnicodeStringTest::TestLargeAppend() {
 +    if(quick) return;
 +
 +    IcuTestErrorCode status(*this, "TestLargeAppend");
 +    // Make a large UnicodeString
 +    int32_t len = 0xAFFFFFF;
 +    UnicodeString str;
 +    char16_t *buf = str.getBuffer(len);
 +    // A fast way to set buffer to valid Unicode.
 +    // 4E4E is a valid unicode character
 +    uprv_memset(buf, 0x4e, len * 2);
 +    str.releaseBuffer(len);
 +    UnicodeString dest;
 +    // Append it 16 times
 +    // 0xAFFFFFF times 16 is 0xA4FFFFF1,
 +    // which is greater than INT32_MAX, which is 0x7FFFFFFF.
 +    int64_t total = 0;
 +    for (int32_t i = 0; i < 16; i++) {
 +        dest.append(str);
 +        total += len;
 +        if (total <= INT32_MAX) {
 +            assertFalse("dest is not bogus", dest.isBogus());
 +        } else {
 +            assertTrue("dest should be bogus", dest.isBogus());
 +        }
 +    }
 +    dest.remove();
 +    total = 0;
 +    for (int32_t i = 0; i < 16; i++) {
 +        dest.append(str);
 +        total += len;
 +        if (total + len <= INT32_MAX) {
 +            assertFalse("dest is not bogus", dest.isBogus());
 +        } else if (total <= INT32_MAX) {
 +            // Check that a string of exactly the maximum size works
 +            UnicodeString str2;
 +            int32_t remain = INT32_MAX - total;
 +            char16_t *buf2 = str2.getBuffer(remain);
 +            if (buf2 == nullptr) {
 +                // if somehow memory allocation fail, return the test
 +                return;
 +            }
 +            uprv_memset(buf2, 0x4e, remain * 2);
 +            str2.releaseBuffer(remain);
 +            dest.append(str2);
 +            total += remain;
 +            assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
 +            assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
 +            assertFalse("dest is not bogus", dest.isBogus());
 +
 +            // Check that a string size+1 goes bogus
 +            str2.truncate(1);
 +            dest.append(str2);
 +            total++;
 +            assertTrue("dest should be bogus", dest.isBogus());
 +        } else {
 +            assertTrue("dest should be bogus", dest.isBogus());
 +        }
 +    }
 +}
 diff --git a/source/test/intltest/ustrtest.h b/source/test/intltest/ustrtest.h
 index 4ba348c..d2d5ee1 100644
 --- a/source/test/intltest/ustrtest.h
 +++ b/source/test/intltest/ustrtest.h
@@ -96,6 +96,7 @@ public:
     void TestUInt16Pointers();
     void TestWCharPointers();
     void TestNullPointers();
 +    void TestLargeAppend();
 };
 #endif
--- a/icu.spec
+++ b/icu.spec
@ -1,6 +1,6 @@
 Name:      icu
 Version:   62.1
-Release:   3
+Release:   5
 Summary:   International Components for Unicode
 License:   MIT and UCD and Public Domain
 URL:       http://site.icu-project.org/
@ -14,6 +14,7 @@ Patch1:    gennorm2-man.patch
 Patch2:    icuinfo-man.patch
 Patch6000: icu-fix-memory-leak.patch
 Patch6001: CVE-2020-10531.patch
 %description
 Tools and utilities for developing with icu.
@ -128,6 +129,9 @@ LD_LIBRARY_PATH=lib:stubdata:tools/ctestfw:$LD_LIBRARY_PATH bin/uconv -l
 %changelog
 * Fri Mar 20 2020 gulining <gulining1@huawei.com> - 62.1-5
 - fix CVE-2020-10531
 * Tue Mar 10 2020 songnannan <songnannan2@huawei.com> - 62.1-4
 - bugfix memory leak