diff options
| author | Michael Stahl <Michael.Stahl@cib.de> | 2019-02-20 16:28:15 +0100 |
|---|---|---|
| committer | Eike Rathke <erack@redhat.com> | 2019-02-25 11:45:48 +0100 |
| commit | dc7055ccee884f32caaa8657bf83acc82008db0b (patch) | |
| tree | 0b6d58ef6c83a6b882aa056eea9e3f59f75c21dd | |
| parent | 52f533dece9bf69d0f661d6b1085ab66536275f5 (diff) | |
icu: fix CVE-2018-18928
Eike says that no LO code should use ICU number parser/formatter, but
meanwhile ICU is also used in the externals firebird, harfbuzz,
hunspell, libcdr, libebook, libfreehand, libmspub, libqxp, libivsio,
libxml2, libzmf, pdfium, xmlsec, so let's just patch it to be sure.
Change-Id: I3e1a76d7ceefadbe3c514ad7f1384a4daa196f36
Reviewed-on: https://gerrit.libreoffice.org/68098
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
Tested-by: Michael Stahl <Michael.Stahl@cib.de>
(cherry picked from commit 5f04bdfcf95b0d8ff9c115f604f3f815b9018271)
Reviewed-on: https://gerrit.libreoffice.org/68111
Tested-by: Jenkins
Reviewed-by: Eike Rathke <erack@redhat.com>
(cherry picked from commit 0812325b46a877a6f150e5b9e1319e53eb9c87da)
Reviewed-on: https://gerrit.libreoffice.org/68290
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Reviewed-by: Adolfo Jayme Barrientos <fitojb@ubuntu.com>
Tested-by: Eike Rathke <erack@redhat.com>
| -rw-r--r-- | external/icu/CVE-2018-18928.patch.2 | 63 | ||||
| -rw-r--r-- | external/icu/UnpackedTarball_icu.mk | 1 |
2 files changed, 64 insertions, 0 deletions
diff --git a/external/icu/CVE-2018-18928.patch.2 b/external/icu/CVE-2018-18928.patch.2 new file mode 100644 index 000000000000..f92cee05ceed --- /dev/null +++ b/external/icu/CVE-2018-18928.patch.2 @@ -0,0 +1,63 @@ +From 6cbd62e59e30f73b444be89ea71fd74275ac53a4 Mon Sep 17 00:00:00 2001 +From: Shane Carr <shane@unicode.org> +Date: Mon, 29 Oct 2018 23:52:44 -0700 +Subject: [PATCH] ICU-20246 Fixing another integer overflow in number parsing. + +(cherry picked from commit 53d8c8f3d181d87a6aa925b449b51c4a2c922a51) +--- + icu4c/source/i18n/fmtable.cpp | 2 +- + icu4c/source/i18n/number_decimalquantity.cpp | 5 ++++- + icu4c/source/test/intltest/numfmtst.cpp | 8 ++++++++ + .../icu/impl/number/DecimalQuantity_AbstractBCD.java | 5 ++++- + .../impl/number/DecimalQuantity_DualStorageBCD.java | 10 +++++++++- + .../com/ibm/icu/dev/test/format/NumberFormatTest.java | 5 +++++ + 6 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/icu4c/source/i18n/fmtable.cpp b/icu4c/source/i18n/fmtable.cpp +index 45c7024fc29..8601d95f4a6 100644 +--- a/icu4c/source/i18n/fmtable.cpp ++++ b/icu4c/source/i18n/fmtable.cpp +@@ -734,7 +734,7 @@ CharString *Formattable::internalGetCharString(UErrorCode &status) { + // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?). + if (fDecimalQuantity->isZero()) { + fDecimalStr->append("0", -1, status); +- } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) { ++ } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) { + fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status); + } else { + fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status); +diff --git a/icu4c/source/i18n/number_decimalquantity.cpp b/icu4c/source/i18n/number_decimalquantity.cpp +index 2c4182b1c6e..f6f2b20fab0 100644 +--- a/icu4c/source/i18n/number_decimalquantity.cpp ++++ b/icu4c/source/i18n/number_decimalquantity.cpp +@@ -820,7 +820,10 @@ UnicodeString DecimalQuantity::toScientificString() const { + } + result.append(u'E'); + int32_t _scale = upperPos + scale; +- if (_scale < 0) { ++ if (_scale == INT32_MIN) { ++ result.append({u"-2147483648", -1}); ++ return result; ++ } else if (_scale < 0) { + _scale *= -1; + result.append(u'-'); + } else { +diff --git a/icu4c/source/test/intltest/numfmtst.cpp b/icu4c/source/test/intltest/numfmtst.cpp +index 34355939113..8d52dc122bf 100644 +--- a/icu4c/source/test/intltest/numfmtst.cpp ++++ b/icu4c/source/test/intltest/numfmtst.cpp +@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_ScientificIntegerOverflow() { + assertEquals(u"Should not overflow and should parse only the first exponent", + u"1E-2147483647", + {sp.data(), sp.length(), US_INV}); ++ ++ // Test edge case overflow of exponent ++ result = Formattable(); ++ nf->parse(u".0003e-2147483644", result, status); ++ sp = result.getDecimalNumber(status); ++ assertEquals(u"Should not overflow", ++ u"3E-2147483648", ++ {sp.data(), sp.length(), US_INV}); + } + + void NumberFormatTest::Test13840_ParseLongStringCrash() { diff --git a/external/icu/UnpackedTarball_icu.mk b/external/icu/UnpackedTarball_icu.mk index b241e8db7c13..9e5f7974a700 100644 --- a/external/icu/UnpackedTarball_icu.mk +++ b/external/icu/UnpackedTarball_icu.mk @@ -38,6 +38,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,icu,\ external/icu/icu4c-61-werror-shadow.patch.1 \ external/icu/gcc9.patch \ external/icu/char8_t.patch \ + external/icu/CVE-2018-18928.patch.2 \ )) $(eval $(call gb_UnpackedTarball_add_file,icu,source/data/brkitr/khmerdict.dict,external/icu/khmerdict.dict)) |