icu: add patch to fix CVE-2020-10531

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/90971
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@cib.de>
(cherry picked from commit 002d1152dc418f7d624409e76cd9d4ac0b42c7f8)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/90975
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
(cherry picked from commit 63b573faf984875cda7a879e696ea75fae81df57)

Change-Id: I0aca4af1bd79f28bf1c920a4d05e80948106aaac
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/90998
Tested-by: Michael Stahl <michael.stahl@cib.de>
Reviewed-by: Michael Stahl <michael.stahl@cib.de>

3 files changed, 42 insertions, 1 deletions

diff --git a/external/icu/ExternalProject_icu.mk b/external/icu/ExternalProject_icu.mk
index 205817938539..838bef127e0e 100644
--- a/external/icu/ExternalProject_icu.mk
+++ b/external/icu/ExternalProject_icu.mk
@@ -13,7 +13,10 @@ $(eval $(call gb_ExternalProject_register_targets,icu,\
 	build \
 ))
 
-icu_CPPFLAGS:="-DHAVE_GCC_ATOMICS=$(if $(filter TRUE,$(GCC_HAVE_BUILTIN_ATOMIC)),1,0)"
+# -I to find o3tl headers
+icu_CPPFLAGS:=" \
+	-DHAVE_GCC_ATOMICS=$(if $(filter TRUE,$(GCC_HAVE_BUILTIN_ATOMIC)),1,0) \
+	-I$(SRCDIR)/include"
 
 ifeq ($(OS),WNT)
 
diff --git a/external/icu/UnpackedTarball_icu.mk b/external/icu/UnpackedTarball_icu.mk
index 304d71399561..4aebd830051b 100644
--- a/external/icu/UnpackedTarball_icu.mk
+++ b/external/icu/UnpackedTarball_icu.mk
@@ -29,6 +29,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,icu,\
 	external/icu/icu4c-changeset-39671.patch.1 \
 	external/icu/icu4c-changeset-40324.patch.1 \
 	external/icu/icu4c-59-icu13329-xlocale.patch.1 \
+	external/icu/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca.patch.2 \
 ))
 
 $(eval $(call gb_UnpackedTarball_add_file,icu,source/data/brkitr/khmerdict.dict,external/icu/khmerdict.dict))
diff --git a/external/icu/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca.patch.2 b/external/icu/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca.patch.2
new file mode 100644
index 000000000000..d3b34db670c5
--- /dev/null
+++ b/external/icu/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca.patch.2
@@ -0,0 +1,37 @@
+From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Sat, 1 Feb 2020 02:39:04 +0000
+Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
+
+See #971
+---
+ icu4c/source/common/unistr.cpp          |  6 ++-
+ icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++
+ icu4c/source/test/intltest/ustrtest.h   |  1 +
+ 3 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/icu4c/source/common/unistr.cpp b/icu4c/source/common/unistr.cpp
+index 901bb3358ba..077b4d6ef20 100644
+--- a/icu4c/source/common/unistr.cpp
++++ b/icu4c/source/common/unistr.cpp
+@@ -31,6 +31,7 @@
+ #include "ustr_imp.h"
+ #include "umutex.h"
+ #include "uassert.h"
++#include <o3tl/safeint.hxx>
+ 
+ #if 0
+ 
+@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+   }
+ 
+   int32_t oldLength = length();
+-  int32_t newLength = oldLength + srcLength;
++  int32_t newLength;
++  if (o3tl::checked_add(oldLength, srcLength, newLength)) {
++    setToBogus();
++    return *this;
++  }
+   // optimize append() onto a large-enough, owned string
+   if((newLength <= getCapacity() && isBufferWritable()) ||
+       cloneArrayIfNeeded(newLength, getGrowCapacity(newLength))) {