external/icu/UnpackedTarball_icu.mk | 2 external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2 | 94 ++++++++++ external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2 | 39 ++++ 3 files changed, 135 insertions(+)
New commits: commit 881c71241011ee6b91c2d2f3269911eacbc1dfbe Author: Michael Stahl <[email protected]> AuthorDate: Fri Nov 5 18:33:07 2021 +0100 Commit: Michael Stahl <[email protected]> CommitDate: Mon Nov 8 15:19:40 2021 +0100 icu: add patch for CVE-2021-30535 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124779 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 35eef8ec9b122a761400f3c6590ca1f9a187d772) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124701 Reviewed-by: Thorsten Behrens <[email protected]> (cherry picked from commit 105c258fcdd69f617de64b780ffcdb8304ff262c) Change-Id: I398596f77aa47ab6d4db01b94422262048cffd3e Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124838 Tested-by: Michael Stahl <[email protected]> Reviewed-by: Michael Stahl <[email protected]> diff --git a/external/icu/UnpackedTarball_icu.mk b/external/icu/UnpackedTarball_icu.mk index d785264bebad..deeeb5171aaf 100644 --- a/external/icu/UnpackedTarball_icu.mk +++ b/external/icu/UnpackedTarball_icu.mk @@ -40,6 +40,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,icu,\ external/icu/c++20-comparison.patch \ external/icu/ubsan.patch \ external/icu/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca.patch.2 \ + external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2 \ + external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2 \ )) $(eval $(call gb_UnpackedTarball_add_file,icu,source/data/brkitr/khmerdict.dict,external/icu/khmerdict.dict)) diff --git a/external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2 b/external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2 new file mode 100644 index 000000000000..1ded56abf524 --- /dev/null +++ b/external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2 @@ -0,0 +1,94 @@ +From cec7de7a390dd6907b0ea0feb4488ed3934ee71d Mon Sep 17 00:00:00 2001 +From: Frank Tang <[email protected]> +Date: Tue, 16 Mar 2021 22:08:29 -0700 +Subject: [PATCH] ICU-21537 Fix invalid free by long locale name + +Do not free baseName if it is pointing to fullNameBuffer. + +Better Fix +--- + icu4c/source/common/locid.cpp | 9 +++++---- + icu4c/source/test/intltest/collationtest.cpp | 10 ++++++++++ + 2 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/icu4c/source/common/locid.cpp b/icu4c/source/common/locid.cpp +index 5d604350ecd..e16fbb724a4 100644 +--- a/icu4c/source/common/locid.cpp ++++ b/icu4c/source/common/locid.cpp +@@ -254,7 +254,7 @@ UOBJECT_DEFINE_RTTI_IMPLEMENTATION(Locale) + + Locale::~Locale() + { +- if (baseName != fullName) { ++ if ((baseName != fullName) && (baseName != fullNameBuffer)) { + uprv_free(baseName); + } + baseName = NULL; +@@ -466,7 +466,7 @@ Locale& Locale::operator=(const Locale& other) { + } + + Locale& Locale::operator=(Locale&& other) U_NOEXCEPT { +- if (baseName != fullName) uprv_free(baseName); ++ if ((baseName != fullName) && (baseName != fullNameBuffer)) uprv_free(baseName); + if (fullName != fullNameBuffer) uprv_free(fullName); + + if (other.fullName == other.fullNameBuffer) { +@@ -1850,7 +1850,7 @@ Locale& Locale::init(const char* localeID, UBool canonicalize) + { + fIsBogus = FALSE; + /* Free our current storage */ +- if (baseName != fullName) { ++ if ((baseName != fullName) && (baseName != fullNameBuffer)) { + uprv_free(baseName); + } + baseName = NULL; +@@ -1886,6 +1886,7 @@ Locale& Locale::init(const char* localeID, UBool canonicalize) + uloc_getName(localeID, fullName, sizeof(fullNameBuffer), &err); + + if(err == U_BUFFER_OVERFLOW_ERROR || length >= (int32_t)sizeof(fullNameBuffer)) { ++ U_ASSERT(baseName == nullptr); + /*Go to heap for the fullName if necessary*/ + fullName = (char *)uprv_malloc(sizeof(char)*(length + 1)); + if(fullName == 0) { +@@ -2039,7 +2040,7 @@ Locale::hashCode() const + void + Locale::setToBogus() { + /* Free our current storage */ +- if(baseName != fullName) { ++ if((baseName != fullName) && (baseName != fullNameBuffer)) { + uprv_free(baseName); + } + baseName = NULL; +diff --git a/icu4c/source/test/intltest/collationtest.cpp b/icu4c/source/test/intltest/collationtest.cpp +index de51eece5c4..4f1fee9375e 100644 +--- a/icu4c/source/test/intltest/collationtest.cpp ++++ b/icu4c/source/test/intltest/collationtest.cpp +@@ -78,6 +78,7 @@ class CollationTest : public IntlTest { + void TestRootElements(); + void TestTailoredElements(); + void TestDataDriven(); ++ void TestLongLocale(); + + private: + void checkFCD(const char *name, CollationIterator &ci, CodePointIterator &cpi); +@@ -148,6 +149,7 @@ void CollationTest::runIndexedTest(int32_t index, UBool exec, const char *&name, + TESTCASE_AUTO(TestRootElements); + TESTCASE_AUTO(TestTailoredElements); + TESTCASE_AUTO(TestDataDriven); ++ TESTCASE_AUTO(TestLongLocale); + TESTCASE_AUTO_END; + } + +@@ -1852,4 +1854,12 @@ void CollationTest::TestDataDriven() { + } + } + ++void CollationTest::TestLongLocale() { ++ IcuTestErrorCode errorCode(*this, "TestLongLocale"); ++ Locale longLocale("sie__1G_C_CEIE_CEZCX_CSUE_E_EIESZNI2_GB_LM_LMCSUE_LMCSX_" ++ "LVARIANT_MMCSIE_STEU_SU1GCEIE_SU6G_SU6SU6G_U_UBGE_UC_" ++ "UCEZCSI_UCIE_UZSIU_VARIANT_X@collation=bcs-ukvsz"); ++ LocalPointer<Collator> coll(Collator::createInstance(longLocale, errorCode)); ++} ++ + #endif // !UCONFIG_NO_COLLATION diff --git a/external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2 b/external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2 new file mode 100644 index 000000000000..4709cd8c37fd --- /dev/null +++ b/external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2 @@ -0,0 +1,39 @@ +From e450fa50fc242282551f56b941dc93b9a8a0bcbb Mon Sep 17 00:00:00 2001 +From: Frank Tang <[email protected]> +Date: Tue, 13 Apr 2021 15:16:50 -0700 +Subject: [PATCH] ICU-21587 Fix memory bug w/ baseName + +Edge cases not fixed in assign and move assign operator +while the locale is long and call setKeywordValue with incorrect +keyword/values. +--- + icu4c/source/common/locid.cpp | 11 +++++++++-- + icu4c/source/test/intltest/loctest.cpp | 26 ++++++++++++++++++++++++++ + icu4c/source/test/intltest/loctest.h | 2 ++ + 3 files changed, 37 insertions(+), 2 deletions(-) + +diff --git a/icu4c/source/common/locid.cpp b/icu4c/source/common/locid.cpp +index 02cd82a7b8e..3c6e5b06690 100644 +--- a/icu4c/source/common/locid.cpp ++++ b/icu4c/source/common/locid.cpp +@@ -469,14 +469,18 @@ Locale& Locale::operator=(Locale&& other) U_NOEXCEPT { + if ((baseName != fullName) && (baseName != fullNameBuffer)) uprv_free(baseName); + if (fullName != fullNameBuffer) uprv_free(fullName); + +- if (other.fullName == other.fullNameBuffer) { ++ if (other.fullName == other.fullNameBuffer || other.baseName == other.fullNameBuffer) { + uprv_strcpy(fullNameBuffer, other.fullNameBuffer); ++ } ++ if (other.fullName == other.fullNameBuffer) { + fullName = fullNameBuffer; + } else { + fullName = other.fullName; + } + +- if (other.baseName == other.fullName) { ++ if (other.baseName == other.fullNameBuffer) { ++ baseName = fullNameBuffer; ++ } else if (other.baseName == other.fullName) { + baseName = fullName; + } else { + baseName = other.baseName;
