icu: Fix memory bug w/ baseName

CVE-2021-30535 : Double free in ICU https://nvd.nist.gov/vuln/detail/CVE-2021-30535 https://security-tracker.debian.org/tracker/CVE-2021-30535 ICU-21587 : Fix memory bug w/ baseName https://github.com/unicode-org/icu/pull/1698 Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
2021-11-28 09:42:25 +09:00 · 2021-11-28 09:42:25 +09:00 · 1d5b64958b
parent c559096e03
commit 1d5b64958b
2 changed files with 48 additions and 1 deletions
--- a/libs/icu/Makefile
+++ b/libs/icu/Makefile
@ -11,7 +11,7 @@ PKG_NAME:=icu4c
 MAJOR_VERSION:=68
 MINOR_VERSION:=2
 PKG_VERSION:=$(MAJOR_VERSION).$(MINOR_VERSION)
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_NAME)-$(MAJOR_VERSION)_$(MINOR_VERSION)-src.tgz
 PKG_SOURCE_URL:=https://github.com/unicode-org/icu/releases/download/release-$(MAJOR_VERSION)-$(MINOR_VERSION)
--- a/libs/icu/patches/999-CVE-2021-30535.patch
+++ b/libs/icu/patches/999-CVE-2021-30535.patch
@ -0,0 +1,47 @@
+From e450fa50fc242282551f56b941dc93b9a8a0bcbb Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Tue, 13 Apr 2021 15:16:50 -0700
+Subject: [PATCH] ICU-21587 Fix memory bug w/ baseName
+
+Edge cases not fixed in assign and move assign operator
+while the locale is long and call setKeywordValue with incorrect
+keyword/values.
+---
+ icu4c/source/common/locid.cpp          | 11 +++++++++--
+ icu4c/source/test/intltest/loctest.cpp | 26 ++++++++++++++++++++++++++
+ icu4c/source/test/intltest/loctest.h   |  2 ++
+ 3 files changed, 37 insertions(+), 2 deletions(-)
+
+--- a/common/locid.cpp
+++ b/common/locid.cpp
+@@ -469,14 +469,18 @@ Locale& Locale::operator=(Locale&& other
+     if (baseName != fullName) uprv_free(baseName);
+     if (fullName != fullNameBuffer) uprv_free(fullName);
+ 
+-    if (other.fullName == other.fullNameBuffer) {
+    if (other.fullName == other.fullNameBuffer || other.baseName == other.fullNameBuffer) {
+         uprv_strcpy(fullNameBuffer, other.fullNameBuffer);
+    }
+    if (other.fullName == other.fullNameBuffer) {
+         fullName = fullNameBuffer;
+     } else {
+         fullName = other.fullName;
+     }
+ 
+-    if (other.baseName == other.fullName) {
+    if (other.baseName == other.fullNameBuffer) {
+        baseName = fullNameBuffer;
+    } else if (other.baseName == other.fullName) {
+         baseName = fullName;
+     } else {
+         baseName = other.baseName;
+@@ -2478,6 +2482,9 @@ Locale::setKeywordValue(const char* keyw
+         if (fullName != fullNameBuffer) {
+             // if full Name is already on the heap, need to free it.
+             uprv_free(fullName);
+            if (baseName == fullName) {
+                baseName = newFullName; // baseName should not point to freed memory.
+            }
+         }
+         fullName = newFullName;
+         status = U_ZERO_ERROR;