From 6d348beb63e8adf052503bc7921b91fd9e3ec51d Mon Sep 17 00:00:00 2001
From: Eike Rathke <erack@redhat.com>
Date: Wed, 16 Oct 2013 16:39:20 +0200
Subject: Resolves: rhbz#1015594 CVE-2013-2924 use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch from
https://ssl.icu-project.org/trac/changeset/34076 assigned to
https://ssl.icu-project.org/trac/ticket/10318

Backported to 4-0 and ICU 49 from
970eca0d3040dbf61a9c91943b4b1281fdbcf48c

Change-Id: I33ba5569919878123909d032a0ed7bed43a4c549
Reviewed-on: https://gerrit.libreoffice.org/6270
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 ...0318.CVE-2013-2924_changeset_34076_icu-49.patch | 43 ++++++++++++++++++++++
 icu/makefile.mk                                    |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 icu/icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch

(limited to 'icu')

diff --git a/icu/icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch b/icu/icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch
new file mode 100644
index 000000000000..360a96ca61f5
--- /dev/null
+++ b/icu/icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch
@@ -0,0 +1,43 @@
+diff -ru orig.icu/source/i18n/csrucode.cpp icu/source/i18n/csrucode.cpp
+--- misc/build/orig.icu/source/i18n/csrucode.cpp	2012-04-05 22:45:54.000000000 +0200
++++ misc/build/icu/source/i18n/csrucode.cpp	2013-10-09 18:56:06.521791271 +0200
+@@ -1,6 +1,6 @@
+ /*
+  **********************************************************************
+- *   Copyright (C) 2005-2006, International Business Machines
++ *   Copyright (C) 2005-2013, International Business Machines
+  *   Corporation and others.  All Rights Reserved.
+  **********************************************************************
+  */
+@@ -31,8 +31,9 @@
+ int32_t CharsetRecog_UTF_16_BE::match(InputText* textIn)
+ {
+     const uint8_t *input = textIn->fRawInput;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFE && input[1] == 0xFF) {
++    if (length >=2 && input[0] == 0xFE && input[1] == 0xFF) {
+         return 100;
+     }
+ 
+@@ -53,8 +54,9 @@
+ int32_t CharsetRecog_UTF_16_LE::match(InputText* textIn)
+ {
+     const uint8_t *input = textIn->fRawInput;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
++    if (length >= 4 && input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
+         return 100;
+     }
+ 
+@@ -76,7 +78,7 @@
+     bool hasBOM = FALSE;
+     int32_t confidence = 0;
+ 
+-    if (getChar(input, 0) == 0x0000FEFFUL) {
++    if (limit > 0 && getChar(input, 0) == 0x0000FEFFUL) {
+         hasBOM = TRUE;
+     }
+ 
+Only in icu/source/i18n: csrucode.cpp.orig
diff --git a/icu/makefile.mk b/icu/makefile.mk
index 1f6e8e8f5652..35894cc2485c 100644
--- a/icu/makefile.mk
+++ b/icu/makefile.mk
@@ -46,6 +46,7 @@ TARFILE_ROOTDIR=icu
 #http://bugs.icu-project.org/trac/ticket/8198 rendering with 0D30 and 0D31
 
 PATCH_FILES=\
+	icu4c.10318.CVE-2013-2924_changeset_34076_icu-49.patch \
     icu4c.10129.wintz.patch \
     icu4c.9948.mlym-crash.patch \
     icu4c-bsd.patch \
-- 
cgit v1.2.3