[Libreoffice-commits] core.git: Branch 'libreoffice-4-0-6' - icu/icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch icu/makefile.mk

[Eike Rathke]

 icu/icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch |   43 +++++++++++++
 icu/makefile.mk                                            |    1 
 2 files changed, 44 insertions(+)

New commits:
commit 640e86b4ba06a7c8381857d79627ec43416d72b3
Author: Eike Rathke <erack at redhat.com>
Date:   Wed Oct 16 16:39:20 2013 +0200

    Resolves: rhbz#1015594 CVE-2013-2924 use-after-free
    
    Added icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch from
    https://ssl.icu-project.org/trac/changeset/34076 assigned to
    https://ssl.icu-project.org/trac/ticket/10318
    
    Backported to 4-0 and ICU 49 from
    970eca0d3040dbf61a9c91943b4b1281fdbcf48c
    
    Change-Id: I33ba5569919878123909d032a0ed7bed43a4c549
    Reviewed-on: https://gerrit.libreoffice.org/6271
    Reviewed-by: Björn Michaelsen <bjoern.michaelsen at canonical.com>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/icu/icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch b/icu/icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch
new file mode 100644
index 0000000..360a96c
--- /dev/null
+++ b/icu/icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch
@@ -0,0 +1,43 @@
+diff -ru orig.icu/source/i18n/csrucode.cpp icu/source/i18n/csrucode.cpp
+--- misc/build/orig.icu/source/i18n/csrucode.cpp	2012-04-05 22:45:54.000000000 +0200
++++ misc/build/icu/source/i18n/csrucode.cpp	2013-10-09 18:56:06.521791271 +0200
+@@ -1,6 +1,6 @@
+ /*
+  **********************************************************************
+- *   Copyright (C) 2005-2006, International Business Machines
++ *   Copyright (C) 2005-2013, International Business Machines
+  *   Corporation and others.  All Rights Reserved.
+  **********************************************************************
+  */
+@@ -31,8 +31,9 @@
+ int32_t CharsetRecog_UTF_16_BE::match(InputText* textIn)
+ {
+     const uint8_t *input = textIn->fRawInput;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFE && input[1] == 0xFF) {
++    if (length >=2 && input[0] == 0xFE && input[1] == 0xFF) {
+         return 100;
+     }
+ 
+@@ -53,8 +54,9 @@
+ int32_t CharsetRecog_UTF_16_LE::match(InputText* textIn)
+ {
+     const uint8_t *input = textIn->fRawInput;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
++    if (length >= 4 && input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
+         return 100;
+     }
+ 
+@@ -76,7 +78,7 @@
+     bool hasBOM = FALSE;
+     int32_t confidence = 0;
+ 
+-    if (getChar(input, 0) == 0x0000FEFFUL) {
++    if (limit > 0 && getChar(input, 0) == 0x0000FEFFUL) {
+         hasBOM = TRUE;
+     }
+ 
+Only in icu/source/i18n: csrucode.cpp.orig
diff --git a/icu/makefile.mk b/icu/makefile.mk
index 1f6e8e8..35894cc 100644
--- a/icu/makefile.mk
+++ b/icu/makefile.mk
@@ -46,6 +46,7 @@ TARFILE_ROOTDIR=icu
 #http://bugs.icu-project.org/trac/ticket/8198 rendering with 0D30 and 0D31
 
 PATCH_FILES=\
+	icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch \
     icu4c.10129.wintz.patch \
     icu4c.9948.mlym-crash.patch \
     icu4c-bsd.patch \