From 5f04bdfcf95b0d8ff9c115f604f3f815b9018271 Mon Sep 17 00:00:00 2001 From: Michael Stahl Date: Wed, 20 Feb 2019 16:28:15 +0100 Subject: icu: fix CVE-2018-18928 Eike says that no LO code should use ICU number parser/formatter, but meanwhile ICU is also used in the externals firebird, harfbuzz, hunspell, libcdr, libebook, libfreehand, libmspub, libqxp, libivsio, libxml2, libzmf, pdfium, xmlsec, so let's just patch it to be sure. Change-Id: I3e1a76d7ceefadbe3c514ad7f1384a4daa196f36 Reviewed-on: https://gerrit.libreoffice.org/68098 Reviewed-by: Michael Stahl Tested-by: Michael Stahl --- external/icu/CVE-2018-18928.patch.2 | 63 +++++++++++++++++++++++++++++++++++++ external/icu/UnpackedTarball_icu.mk | 1 + 2 files changed, 64 insertions(+) create mode 100644 external/icu/CVE-2018-18928.patch.2 (limited to 'external') diff --git a/external/icu/CVE-2018-18928.patch.2 b/external/icu/CVE-2018-18928.patch.2 new file mode 100644 index 000000000000..f92cee05ceed --- /dev/null +++ b/external/icu/CVE-2018-18928.patch.2 @@ -0,0 +1,63 @@ +From 6cbd62e59e30f73b444be89ea71fd74275ac53a4 Mon Sep 17 00:00:00 2001 +From: Shane Carr +Date: Mon, 29 Oct 2018 23:52:44 -0700 +Subject: [PATCH] ICU-20246 Fixing another integer overflow in number parsing. + +(cherry picked from commit 53d8c8f3d181d87a6aa925b449b51c4a2c922a51) +--- + icu4c/source/i18n/fmtable.cpp | 2 +- + icu4c/source/i18n/number_decimalquantity.cpp | 5 ++++- + icu4c/source/test/intltest/numfmtst.cpp | 8 ++++++++ + .../icu/impl/number/DecimalQuantity_AbstractBCD.java | 5 ++++- + .../impl/number/DecimalQuantity_DualStorageBCD.java | 10 +++++++++- + .../com/ibm/icu/dev/test/format/NumberFormatTest.java | 5 +++++ + 6 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/icu4c/source/i18n/fmtable.cpp b/icu4c/source/i18n/fmtable.cpp +index 45c7024fc29..8601d95f4a6 100644 +--- a/icu4c/source/i18n/fmtable.cpp ++++ b/icu4c/source/i18n/fmtable.cpp +@@ -734,7 +734,7 @@ CharString *Formattable::internalGetCharString(UErrorCode &status) { + // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?). + if (fDecimalQuantity->isZero()) { + fDecimalStr->append("0", -1, status); +- } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) { ++ } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) { + fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status); + } else { + fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status); +diff --git a/icu4c/source/i18n/number_decimalquantity.cpp b/icu4c/source/i18n/number_decimalquantity.cpp +index 2c4182b1c6e..f6f2b20fab0 100644 +--- a/icu4c/source/i18n/number_decimalquantity.cpp ++++ b/icu4c/source/i18n/number_decimalquantity.cpp +@@ -820,7 +820,10 @@ UnicodeString DecimalQuantity::toScientificString() const { + } + result.append(u'E'); + int32_t _scale = upperPos + scale; +- if (_scale < 0) { ++ if (_scale == INT32_MIN) { ++ result.append({u"-2147483648", -1}); ++ return result; ++ } else if (_scale < 0) { + _scale *= -1; + result.append(u'-'); + } else { +diff --git a/icu4c/source/test/intltest/numfmtst.cpp b/icu4c/source/test/intltest/numfmtst.cpp +index 34355939113..8d52dc122bf 100644 +--- a/icu4c/source/test/intltest/numfmtst.cpp ++++ b/icu4c/source/test/intltest/numfmtst.cpp +@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_ScientificIntegerOverflow() { + assertEquals(u"Should not overflow and should parse only the first exponent", + u"1E-2147483647", + {sp.data(), sp.length(), US_INV}); ++ ++ // Test edge case overflow of exponent ++ result = Formattable(); ++ nf->parse(u".0003e-2147483644", result, status); ++ sp = result.getDecimalNumber(status); ++ assertEquals(u"Should not overflow", ++ u"3E-2147483648", ++ {sp.data(), sp.length(), US_INV}); + } + + void NumberFormatTest::Test13840_ParseLongStringCrash() { diff --git a/external/icu/UnpackedTarball_icu.mk b/external/icu/UnpackedTarball_icu.mk index b241e8db7c13..9e5f7974a700 100644 --- a/external/icu/UnpackedTarball_icu.mk +++ b/external/icu/UnpackedTarball_icu.mk @@ -38,6 +38,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,icu,\ external/icu/icu4c-61-werror-shadow.patch.1 \ external/icu/gcc9.patch \ external/icu/char8_t.patch \ + external/icu/CVE-2018-18928.patch.2 \ )) $(eval $(call gb_UnpackedTarball_add_file,icu,source/data/brkitr/khmerdict.dict,external/icu/khmerdict.dict)) -- cgit