File icu-CVE-2025-5222.patch of Package icu
From 2c667e31cfd0b6bb1923627a932fd3453a5bac77 Mon Sep 17 00:00:00 2001
From: Frank Tang <ftang@chromium.org>
Date: Wed, 22 Jan 2025 11:50:59 -0800
Subject: [PATCH] ICU-22973 Fix buffer overflow by using CharString
---
icu4c/source/tools/genrb/parse.cpp | 49 ++++++++++++++++++------------
1 file changed, 29 insertions(+), 20 deletions(-)
--- a/source/tools/genrb/parse.cpp
+++ b/source/tools/genrb/parse.cpp
@@ -836,7 +836,7 @@
struct UString *tokenValue;
struct UString comment;
enum ETokenType token;
- char subtag[1024];
+ CharString subtag;
UVersionInfo version;
uint32_t line;
GenrbData genrbdata;
@@ -870,15 +870,15 @@
return NULL;
}
- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
-
+ subtag.clear();
+ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
if (U_FAILURE(*status))
{
res_close(result);
return NULL;
}
- member = parseResource(state, subtag, NULL, status);
+ member = parseResource(state, subtag.data(), nullptr, status);
if (U_FAILURE(*status))
{
@@ -890,7 +890,7 @@
{
// Ignore the parsed resources, continue parsing.
}
- else if (uprv_strcmp(subtag, "Version") == 0)
+ else if (uprv_strcmp(subtag.data(), "Version") == 0)
{
char ver[40];
int32_t length = member->u.fString.fLength;
@@ -906,11 +906,11 @@
table_add(result, member, line, status);
member = NULL;
}
- else if(uprv_strcmp(subtag, "%%CollationBin")==0)
+ else if(uprv_strcmp(subtag.data(), "%%CollationBin")==0)
{
/* discard duplicate %%CollationBin if any*/
}
- else if (uprv_strcmp(subtag, "Sequence") == 0)
+ else if (uprv_strcmp(subtag.data(), "Sequence") == 0)
{
#if UCONFIG_NO_COLLATION || UCONFIG_NO_FILE_IO
warning(line, "Not building collation elements because of UCONFIG_NO_COLLATION and/or UCONFIG_NO_FILE_IO, see uconfig.h");
@@ -1048,7 +1048,7 @@
struct UString *tokenValue;
struct UString comment;
enum ETokenType token;
- char subtag[1024], typeKeyword[1024];
+ CharString subtag, typeKeyword;
uint32_t line;
result = table_open(state->bundle, tag, NULL, status);
@@ -1090,7 +1090,8 @@
return NULL;
}
- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
+ subtag.clear();
+ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
if (U_FAILURE(*status))
{
@@ -1098,9 +1099,9 @@
return NULL;
}
- if (uprv_strcmp(subtag, "default") == 0)
+ if (uprv_strcmp(subtag.data(), "default") == 0)
{
- member = parseResource(state, subtag, NULL, status);
+ member = parseResource(state, subtag.data(), nullptr, status);
if (U_FAILURE(*status))
{
@@ -1118,22 +1119,29 @@
/* then, we cannot handle aliases */
if(token == TOK_OPEN_BRACE) {
token = getToken(state, &tokenValue, &comment, &line, status);
- if (keepCollationType(subtag)) {
- collationRes = table_open(state->bundle, subtag, NULL, status);
+ if (keepCollationType(subtag.data())) {
+ collationRes = table_open(state->bundle, subtag.data(), nullptr, status);
} else {
collationRes = NULL;
}
// need to parse the collation data regardless
- collationRes = addCollation(state, collationRes, subtag, startline, status);
+ collationRes = addCollation(state, collationRes, subtag.data(), startline, status);
if (collationRes != NULL) {
table_add(result, collationRes, startline, status);
}
} else if(token == TOK_COLON) { /* right now, we'll just try to see if we have aliases */
/* we could have a table too */
token = peekToken(state, 1, &tokenValue, &line, &comment, status);
- u_UCharsToChars(tokenValue->fChars, typeKeyword, u_strlen(tokenValue->fChars) + 1);
- if(uprv_strcmp(typeKeyword, "alias") == 0) {
- member = parseResource(state, subtag, NULL, status);
+ typeKeyword.clear();
+ typeKeyword.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
+ if (U_FAILURE(*status))
+ {
+ res_close(result);
+ return nullptr;
+ }
+
+ if(uprv_strcmp(typeKeyword.data(), "alias") == 0) {
+ member = parseResource(state, subtag.data(), nullptr, status);
if (U_FAILURE(*status))
{
res_close(result);
@@ -1175,7 +1183,7 @@
struct UString *tokenValue=NULL;
struct UString comment;
enum ETokenType token;
- char subtag[1024];
+ CharString subtag;
uint32_t line;
UBool readToken = FALSE;
@@ -1214,7 +1222,8 @@
}
if(uprv_isInvariantUString(tokenValue->fChars, -1)) {
- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
+ subtag.clear();
+ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
} else {
*status = U_INVALID_FORMAT_ERROR;
error(line, "invariant characters required for table keys");
@@ -1227,7 +1236,7 @@
return NULL;
}
- member = parseResource(state, subtag, &comment, status);
+ member = parseResource(state, subtag.data(), &comment, status);
if (member == NULL || U_FAILURE(*status))
{
