[Libreoffice-commits] core.git: Branch 'libreoffice-4-1-3' - icu/icu4c.10318.CVE-2013-2924_changeset_34076.patch icu/UnpackedTarball_icu.mk

Eike Rathke erack at redhat.com
Fri Oct 18 08:28:57 PDT 2013 

 icu/UnpackedTarball_icu.mk                          |    1 
 icu/icu4c.10318.CVE-2013-2924_changeset_34076.patch |   36 ++++++++++++++++++++
 2 files changed, 37 insertions(+)

New commits:
commit 7c858e7d5353d08c3e5f57a340a5c31e5a498ec1
Author: Eike Rathke <erack at redhat.com>
Date:   Wed Oct 16 16:10:46 2013 +0200

    Resolves: rhbz#1015594 CVE-2013-2924 use-after-free
    
    Added icu.10318.CVE-2013-2924_changeset_34076.patch from
    https://ssl.icu-project.org/trac/changeset/34076 assigned to
    https://ssl.icu-project.org/trac/ticket/10318
    
    Change-Id: I93a33e59aec9b79fb8d4b1517cd0990c79ee65fb
    (cherry picked from commit 7693a4b9fbb60105d8438465db51c7afef4c3eb1)
    Reviewed-on: https://gerrit.libreoffice.org/6273
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    Reviewed-by: David Tardon <dtardon at redhat.com>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/icu/UnpackedTarball_icu.mk b/icu/UnpackedTarball_icu.mk
index 3e084a9..cb01378 100644
--- a/icu/UnpackedTarball_icu.mk
+++ b/icu/UnpackedTarball_icu.mk
@@ -18,6 +18,7 @@ $(eval $(call gb_UnpackedTarball_set_pre_action,icu,\
 ))
 
 $(eval $(call gb_UnpackedTarball_add_patches,icu,\
+	icu/icu4c.10318.CVE-2013-2924_changeset_34076.patch \
 	icu/icu4c.10129.wintz.patch \
 	icu/icu4c.9948.mlym-crash.patch \
 	icu/icu4c-build.patch \
diff --git a/icu/icu4c.10318.CVE-2013-2924_changeset_34076.patch b/icu/icu4c.10318.CVE-2013-2924_changeset_34076.patch
new file mode 100644
index 0000000..90f50ab
--- /dev/null
+++ b/icu/icu4c.10318.CVE-2013-2924_changeset_34076.patch
@@ -0,0 +1,36 @@
+Index: /icu/trunk/source/i18n/csrucode.cpp
+===================================================================
+--- a/orig.icu/source/i18n/csrucode.cpp	(revision 34075)
++++ b/icu/source/i18n/csrucode.cpp	(revision 34076)
+@@ -1,5 +1,5 @@
+ /*
+  **********************************************************************
+- *   Copyright (C) 2005-2012, International Business Machines
++ *   Copyright (C) 2005-2013, International Business Machines
+  *   Corporation and others.  All Rights Reserved.
+  **********************************************************************
+@@ -34,6 +34,7 @@
+     const uint8_t *input = textIn->fRawInput;
+     int32_t confidence = 0;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFE && input[1] == 0xFF) {
++    if (length >=2 && input[0] == 0xFE && input[1] == 0xFF) {
+         confidence = 100;
+     }
+@@ -58,6 +59,7 @@
+     const uint8_t *input = textIn->fRawInput;
+     int32_t confidence = 0;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
++    if (length >= 4 && input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
+         confidence = 100;
+     }
+@@ -82,5 +84,5 @@
+     int32_t confidence = 0;
+ 
+-    if (getChar(input, 0) == 0x0000FEFFUL) {
++    if (limit > 0 && getChar(input, 0) == 0x0000FEFFUL) {
+         hasBOM = TRUE;
+     }

More information about the Libreoffice-commits mailing list