summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2019-03-05 16:30:00 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-03-05 22:42:58 +0000
commit0b3f5e3cb90612c24f30ae8a50ed926492ce2e35 (patch)
tree46d78e1c9a9e60e10e1145e39c0d7a8500efb8bd
parenta5625df8031985e9c60c34068a4a01c36da40eec (diff)
downloadopenembedded-core-contrib-0b3f5e3cb90612c24f30ae8a50ed926492ce2e35.tar.gz
openembedded-core-contrib-0b3f5e3cb90612c24f30ae8a50ed926492ce2e35.tar.bz2
openembedded-core-contrib-0b3f5e3cb90612c24f30ae8a50ed926492ce2e35.zip
icu: fix CVE-2018-18928
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-support/icu/icu/CVE-2018-18928.patch63
-rw-r--r--meta/recipes-support/icu/icu_63.1.bb1
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-support/icu/icu/CVE-2018-18928.patch b/meta/recipes-support/icu/icu/CVE-2018-18928.patch
new file mode 100644
index 0000000000..19c50e4e76
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2018-18928.patch
@@ -0,0 +1,63 @@
+CVE: CVE-2018-18928
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 53d8c8f3d181d87a6aa925b449b51c4a2c922a51 Mon Sep 17 00:00:00 2001
+From: Shane Carr <shane@unicode.org>
+Date: Mon, 29 Oct 2018 23:52:44 -0700
+Subject: [PATCH] ICU-20246 Fixing another integer overflow in number parsing.
+
+---
+ i18n/fmtable.cpp | 2 +-
+ i18n/number_decimalquantity.cpp | 5 ++++-
+ test/intltest/numfmtst.cpp | 8 ++++++++
+ 6 files changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/i18n/fmtable.cpp b/i18n/fmtable.cpp
+index 45c7024fc29..8601d95f4a6 100644
+--- a/i18n/fmtable.cpp
++++ b/i18n/fmtable.cpp
+@@ -734,7 +734,7 @@ CharString *Formattable::internalGetCharString(UErrorCode &status) {
+ // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?).
+ if (fDecimalQuantity->isZero()) {
+ fDecimalStr->append("0", -1, status);
+- } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) {
++ } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) {
+ fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status);
+ } else {
+ fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status);
+diff --git a/i18n/number_decimalquantity.cpp b/i18n/number_decimalquantity.cpp
+index 47b930a564b..d5dd7ae694c 100644
+--- a/i18n/number_decimalquantity.cpp
++++ b/i18n/number_decimalquantity.cpp
+@@ -898,7 +898,10 @@ UnicodeString DecimalQuantity::toScientificString() const {
+ }
+ result.append(u'E');
+ int32_t _scale = upperPos + scale;
+- if (_scale < 0) {
++ if (_scale == INT32_MIN) {
++ result.append({u"-2147483648", -1});
++ return result;
++ } else if (_scale < 0) {
+ _scale *= -1;
+ result.append(u'-');
+ } else {
+diff --git a/test/intltest/numfmtst.cpp b/test/intltest/numfmtst.cpp
+index 34355939113..8d52dc122bf 100644
+--- a/test/intltest/numfmtst.cpp
++++ b/test/intltest/numfmtst.cpp
+@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_ScientificIntegerOverflow() {
+ assertEquals(u"Should not overflow and should parse only the first exponent",
+ u"1E-2147483647",
+ {sp.data(), sp.length(), US_INV});
++
++ // Test edge case overflow of exponent
++ result = Formattable();
++ nf->parse(u".0003e-2147483644", result, status);
++ sp = result.getDecimalNumber(status);
++ assertEquals(u"Should not overflow",
++ u"3E-2147483648",
++ {sp.data(), sp.length(), US_INV});
+ }
+
+ void NumberFormatTest::Test13840_ParseLongStringCrash() {
diff --git a/meta/recipes-support/icu/icu_63.1.bb b/meta/recipes-support/icu/icu_63.1.bb
index e593dc1bdb..961f022ad7 100644
--- a/meta/recipes-support/icu/icu_63.1.bb
+++ b/meta/recipes-support/icu/icu_63.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "${BASE_SRC_URI} \
file://icu-pkgdata-large-cmd.patch \
file://fix-install-manx.patch \
file://0002-Add-ARC-support.patch \
+ file://CVE-2018-18928.patch \
"
SRC_URI_append_class-target = "\