Merge pull request #11592 from nxhack/icu_66_1

icu: update to 66.1 & fix CVE-2020-10531
5 years ago · c8d7a48a5d
--- a/libs/icu/Makefile
+++ b/libs/icu/Makefile
@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=icu4c
 MAJOR_VERSION:=65
 MAJOR_VERSION:=66
 MINOR_VERSION:=1
 PKG_VERSION:=$(MAJOR_VERSION).$(MINOR_VERSION)
 PKG_RELEASE:=2
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(MAJOR_VERSION)_$(MINOR_VERSION)-src.tgz
 PKG_SOURCE_URL:=https://github.com/unicode-org/icu/releases/download/release-$(MAJOR_VERSION)-$(MINOR_VERSION)
 PKG_HASH:=53e37466b3d6d6d01ead029e3567d873a43a5d1c668ed2278e253b683136d948
 PKG_HASH:=52a3f2209ab95559c1cf0a14f24338001f389615bf00e2585ef3dbc43ecf0a2e

 PKG_LICENSE:=ICU
 PKG_LICENSE_FILES:=LICENSE
@ -137,6 +137,8 @@ define Host/Install
 	$(INSTALL_BIN)  $(HOST_BUILD_DIR)/bin/icupkg $(STAGING_DIR_HOSTPKG)/share/icu/$(PKG_VERSION)/bin/
 	$(INSTALL_BIN)  $(HOST_BUILD_DIR)/bin/pkgdata $(STAGING_DIR_HOSTPKG)/share/icu/$(PKG_VERSION)/bin/
 	$(CP)           $(HOST_BUILD_DIR)/lib/*.so* $(STAGING_DIR_HOSTPKG)/share/icu/$(PKG_VERSION)/lib/
 	$(RM)           $(STAGING_DIR_HOSTPKG)/share/icu/current
 	(cd $(STAGING_DIR_HOSTPKG)/share/icu;$(LN) $(PKG_VERSION) current)
 endef

 define Package/icu/install
--- a/libs/icu/patches/020-ICU-20958_CVE-2020-10531.patch
+++ b/libs/icu/patches/020-ICU-20958_CVE-2020-10531.patch
@ -0,0 +1,118 @@
 From 1d824ede675782fcf9367e4bbcba1d998cdc33f1 Mon Sep 17 00:00:00 2001
 From: Frank Tang <ftang@chromium.org>
 Date: Sat, 1 Feb 2020 02:39:04 +0000
 Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append

 See #971
 ---
 icu4c/source/common/unistr.cpp          |  6 ++-
 icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++
 icu4c/source/test/intltest/ustrtest.h   |  1 +
 3 files changed, 68 insertions(+), 1 deletion(-)

 diff --git a/icu4c/source/common/unistr.cpp b/icu4c/source/common/unistr.cpp
 index 901bb3358ba..077b4d6ef20 100644
 --- a/common/unistr.cpp
 +++ b/common/unistr.cpp
@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
   }
 
   int32_t oldLength = length();
 -  int32_t newLength = oldLength + srcLength;
 +  int32_t newLength;
 +  if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
 +    setToBogus();
 +    return *this;
 +  }
 
   // Check for append onto ourself
   const UChar* oldArray = getArrayStart();
 diff --git a/icu4c/source/test/intltest/ustrtest.cpp b/icu4c/source/test/intltest/ustrtest.cpp
 index b6515ea813c..ad38bdf53a3 100644
 --- a/test/intltest/ustrtest.cpp
 +++ b/test/intltest/ustrtest.cpp
@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
     TESTCASE_AUTO(TestWCharPointers);
     TESTCASE_AUTO(TestNullPointers);
     TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
 +    TESTCASE_AUTO(TestLargeAppend);
     TESTCASE_AUTO_END;
 }
 
@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
     str.insert(2, sub);
     assertEquals("", u"abbcdcde", str);
 }
 +
 +void UnicodeStringTest::TestLargeAppend() {
 +    if(quick) return;
 +
 +    IcuTestErrorCode status(*this, "TestLargeAppend");
 +    // Make a large UnicodeString
 +    int32_t len = 0xAFFFFFF;
 +    UnicodeString str;
 +    char16_t *buf = str.getBuffer(len);
 +    // A fast way to set buffer to valid Unicode.
 +    // 4E4E is a valid unicode character
 +    uprv_memset(buf, 0x4e, len * 2);
 +    str.releaseBuffer(len);
 +    UnicodeString dest;
 +    // Append it 16 times
 +    // 0xAFFFFFF times 16 is 0xA4FFFFF1,
 +    // which is greater than INT32_MAX, which is 0x7FFFFFFF.
 +    int64_t total = 0;
 +    for (int32_t i = 0; i < 16; i++) {
 +        dest.append(str);
 +        total += len;
 +        if (total <= INT32_MAX) {
 +            assertFalse("dest is not bogus", dest.isBogus());
 +        } else {
 +            assertTrue("dest should be bogus", dest.isBogus());
 +        }
 +    }
 +    dest.remove();
 +    total = 0;
 +    for (int32_t i = 0; i < 16; i++) {
 +        dest.append(str);
 +        total += len;
 +        if (total + len <= INT32_MAX) {
 +            assertFalse("dest is not bogus", dest.isBogus());
 +        } else if (total <= INT32_MAX) {
 +            // Check that a string of exactly the maximum size works
 +            UnicodeString str2;
 +            int32_t remain = INT32_MAX - total;
 +            char16_t *buf2 = str2.getBuffer(remain);
 +            if (buf2 == nullptr) {
 +                // if somehow memory allocation fail, return the test
 +                return;
 +            }
 +            uprv_memset(buf2, 0x4e, remain * 2);
 +            str2.releaseBuffer(remain);
 +            dest.append(str2);
 +            total += remain;
 +            assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
 +            assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
 +            assertFalse("dest is not bogus", dest.isBogus());
 +
 +            // Check that a string size+1 goes bogus
 +            str2.truncate(1);
 +            dest.append(str2);
 +            total++;
 +            assertTrue("dest should be bogus", dest.isBogus());
 +        } else {
 +            assertTrue("dest should be bogus", dest.isBogus());
 +        }
 +    }
 +}
 diff --git a/icu4c/source/test/intltest/ustrtest.h b/icu4c/source/test/intltest/ustrtest.h
 index 218befdcc68..4a356a92c7a 100644
 --- a/test/intltest/ustrtest.h
 +++ b/test/intltest/ustrtest.h
@@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest {
     void TestWCharPointers();
     void TestNullPointers();
     void TestUnicodeStringInsertAppendToSelf();
 +    void TestLargeAppend();
 };
 
 #endif