Skip to content

Commit

Permalink
closes #502: CVE-2016-6293/7415 CVE-2017-7867/7868/14952/15422
Browse files Browse the repository at this point in the history
  • Loading branch information
@classilla
classilla committed Jul 7, 2018
1 parent 8a97adc commit 7af97d2
Show file tree
Hide file tree
Showing 7 changed files with 113 additions and 112 deletions.
78 changes: 42 additions & 36 deletions intl/icu/source/common/locid.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
#include "uhash.h"
#include "ucln_cmn.h"
#include "ustr_imp.h"
#include "charstr.h"

U_CDECL_BEGIN
static UBool U_CALLCONV locale_cleanup(void);
Expand All @@ -57,6 +58,12 @@ static UMutex gDefaultLocaleMutex = U_MUTEX_INITIALIZER;
static UHashtable *gDefaultLocalesHashT = NULL;
static Locale *gDefaultLocale = NULL;

/**
* \def ULOC_STRING_LIMIT
* strings beyond this value crash in CharString
*/
#define ULOC_STRING_LIMIT 357913941

U_NAMESPACE_END

typedef enum ELocalePos {
Expand Down Expand Up @@ -283,27 +290,36 @@ Locale::Locale( const char * newLanguage,
}
else
{
MaybeStackArray<char, ULOC_FULLNAME_CAPACITY> togo;
UErrorCode status = U_ZERO_ERROR;
int32_t size = 0;
int32_t lsize = 0;
int32_t csize = 0;
int32_t vsize = 0;
int32_t ksize = 0;
char *p;

// Calculate the size of the resulting string.

// Language
if ( newLanguage != NULL )
{
lsize = (int32_t)uprv_strlen(newLanguage);
if ( lsize < 0 || lsize > ULOC_STRING_LIMIT ) { // int32 wrap
setToBogus();
return;
}
size = lsize;
}

CharString togo(newLanguage, lsize, status); // start with newLanguage

// _Country
if ( newCountry != NULL )
{
csize = (int32_t)uprv_strlen(newCountry);
if ( csize < 0 || csize > ULOC_STRING_LIMIT ) { // int32 wrap
setToBogus();
return;
}
size += csize;
}

Expand All @@ -318,6 +334,10 @@ Locale::Locale( const char * newLanguage,

// remove trailing _'s
vsize = (int32_t)uprv_strlen(newVariant);
if ( vsize < 0 || vsize > ULOC_STRING_LIMIT ) { // int32 wrap
setToBogus();
return;
}
while( (vsize>1) && (newVariant[vsize-1] == SEP_CHAR) )
{
vsize--;
Expand All @@ -342,70 +362,56 @@ Locale::Locale( const char * newLanguage,
if ( newKeywords != NULL)
{
ksize = (int32_t)uprv_strlen(newKeywords);
if ( ksize < 0 || ksize > ULOC_STRING_LIMIT ) {
setToBogus();
return;
}
size += ksize + 1;
}


// NOW we have the full locale string..

/*if the whole string is longer than our internal limit, we need
to go to the heap for temporary buffers*/
if (size >= togo.getCapacity())
{
// If togo_heap could not be created, initialize with default settings.
if (togo.resize(size+1) == NULL) {
init(NULL, FALSE);
}
}

togo[0] = 0;

// Now, copy it back.
p = togo.getAlias();
if ( lsize != 0 )
{
uprv_strcpy(p, newLanguage);
p += lsize;
}

// newLanguage is already copied

if ( ( vsize != 0 ) || (csize != 0) ) // at least: __v
{ // ^
*p++ = SEP_CHAR;
togo.append(SEP_CHAR, status);
}

if ( csize != 0 )
{
uprv_strcpy(p, newCountry);
p += csize;
togo.append(newCountry, status);
}

if ( vsize != 0)
{
*p++ = SEP_CHAR; // at least: __v

uprv_strncpy(p, newVariant, vsize); // Must use strncpy because
p += vsize; // of trimming (above).
*p = 0; // terminate
togo.append(SEP_CHAR, status)
.append(newVariant, vsize, status);
}

if ( ksize != 0)
{
if (uprv_strchr(newKeywords, '=')) {
*p++ = '@'; /* keyword parsing */
togo.append('@', status); /* keyword parsing */
}
else {
*p++ = '_'; /* Variant parsing with a script */
togo.append('_', status); /* Variant parsing with a script */
if ( vsize == 0) {
*p++ = '_'; /* No country found */
togo.append('_', status); /* No country found */
}
}
uprv_strcpy(p, newKeywords);
p += ksize;
togo.append(newKeywords, status);
}

if (U_FAILURE(status)) {
// Something went wrong with appending, etc.
setToBogus();
return;
}
// Parse it, because for example 'language' might really be a complete
// string.
init(togo.getAlias(), FALSE);
init(togo.data(), FALSE);
}
}

Expand Down
100 changes: 31 additions & 69 deletions intl/icu/source/common/uloc.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2246,7 +2246,7 @@ _uloc_strtod(const char *start, char **end) {
typedef struct {
float q;
int32_t dummy; /* to avoid uninitialized memory copy from qsort */
char *locale;
char locale[ULOC_FULLNAME_CAPACITY+1];
} _acceptLangItem;

static int32_t U_CALLCONV
Expand Down Expand Up @@ -2288,9 +2288,7 @@ uloc_acceptLanguageFromHTTP(char *result, int32_t resultAvailable, UAcceptResult
UEnumeration* availableLocales,
UErrorCode *status)
{
_acceptLangItem *j;
_acceptLangItem smallBuffer[30];
char **strs;
icu::MaybeStackArray<_acceptLangItem, 4> items; // Struct for collecting items.
char tmp[ULOC_FULLNAME_CAPACITY +1];
int32_t n = 0;
const char *itemEnd;
Expand All @@ -2300,11 +2298,7 @@ uloc_acceptLanguageFromHTTP(char *result, int32_t resultAvailable, UAcceptResult
int32_t res;
int32_t i;
int32_t l = (int32_t)uprv_strlen(httpAcceptLanguage);
int32_t jSize;
char *tempstr; /* Use for null pointer check */

j = smallBuffer;
jSize = sizeof(smallBuffer)/sizeof(smallBuffer[0]);
if(U_FAILURE(*status)) {
return -1;
}
Expand Down Expand Up @@ -2332,93 +2326,61 @@ uloc_acceptLanguageFromHTTP(char *result, int32_t resultAvailable, UAcceptResult
while(isspace(*t)) {
t++;
}
j[n].q = (float)_uloc_strtod(t,NULL);
items[n].q = (float)_uloc_strtod(t,NULL);
} else {
/* no semicolon - it's 1.0 */
j[n].q = 1.0f;
items[n].q = 1.0f;
paramEnd = itemEnd;
}
j[n].dummy=0;
items[n].dummy=0;
/* eat spaces prior to semi */
for(t=(paramEnd-1);(paramEnd>s)&&isspace(*t);t--)
;
/* Check for null pointer from uprv_strndup */
tempstr = uprv_strndup(s,(int32_t)((t+1)-s));
if (tempstr == NULL) {
*status = U_MEMORY_ALLOCATION_ERROR;
return -1;
}
j[n].locale = tempstr;
uloc_canonicalize(j[n].locale,tmp,sizeof(tmp)/sizeof(tmp[0]),status);
if(strcmp(j[n].locale,tmp)) {
uprv_free(j[n].locale);
j[n].locale=uprv_strdup(tmp);
int32_t slen = ((t+1)-s);
if(slen > ULOC_FULLNAME_CAPACITY) {
*status = U_BUFFER_OVERFLOW_ERROR;
return -1; // too big
}
uprv_strncpy(items[n].locale, s, slen);
items[n].locale[slen]=0; // terminate
int32_t clen = uloc_canonicalize(items[n].locale, tmp, UPRV_LENGTHOF(tmp)-1, status);
if(U_FAILURE(*status)) return -1;
if((clen!=slen) || (uprv_strncmp(items[n].locale, tmp, slen))) {
// canonicalization had an effect- copy back
uprv_strncpy(items[n].locale, tmp, clen);
items[n].locale[clen] = 0; // terminate
}
#if defined(ULOC_DEBUG)
/*fprintf(stderr,"%d: s <%s> q <%g>\n", n, j[n].locale, j[n].q);*/
/*fprintf(stderr,"%d: s <%s> q <%g>\n", n, items[n].locale, items[n].q);*/
#endif
n++;
s = itemEnd;
while(*s==',') { /* eat duplicate commas */
s++;
}
if(n>=jSize) {
if(j==smallBuffer) { /* overflowed the small buffer. */
j = static_cast<_acceptLangItem *>(uprv_malloc(sizeof(j[0])*(jSize*2)));
if(j!=NULL) {
uprv_memcpy(j,smallBuffer,sizeof(j[0])*jSize);
}
#if defined(ULOC_DEBUG)
fprintf(stderr,"malloced at size %d\n", jSize);
#endif
} else {
j = static_cast<_acceptLangItem *>(uprv_realloc(j, sizeof(j[0])*jSize*2));
if(n>=items.getCapacity()) { // If we need more items
if(NULL == items.resize(items.getCapacity()*2, items.getCapacity())) {
*status = U_MEMORY_ALLOCATION_ERROR;
return -1;
}
#if defined(ULOC_DEBUG)
fprintf(stderr,"re-alloced at size %d\n", jSize);
fprintf(stderr,"malloced at size %d\n", items.getCapacity());
#endif
}
jSize *= 2;
if(j==NULL) {
*status = U_MEMORY_ALLOCATION_ERROR;
return -1;
}
}
}
uprv_sortArray(j, n, sizeof(j[0]), uloc_acceptLanguageCompare, NULL, TRUE, status);
uprv_sortArray(items.getAlias(), n, sizeof(items[0]), uloc_acceptLanguageCompare, NULL, TRUE, status);
icu::LocalArray<const char*> strs(new const char*[n], *status);
if(U_FAILURE(*status)) {
if(j != smallBuffer) {
#if defined(ULOC_DEBUG)
fprintf(stderr,"freeing j %p\n", j);
#endif
uprv_free(j);
}
return -1;
}
strs = static_cast<char **>(uprv_malloc((size_t)(sizeof(strs[0])*n)));
/* Check for null pointer */
if (strs == NULL) {
uprv_free(j); /* Free to avoid memory leak */
*status = U_MEMORY_ALLOCATION_ERROR;
return -1;
return -1;
}
for(i=0;i<n;i++) {
#if defined(ULOC_DEBUG)
/*fprintf(stderr,"%d: s <%s> q <%g>\n", i, j[i].locale, j[i].q);*/
/*fprintf(stderr,"%d: s <%s> q <%g>\n", i, items[i].locale, items[i].q);*/
#endif
strs[i]=j[i].locale;
strs[i]=items[i].locale;
}
res = uloc_acceptLanguage(result, resultAvailable, outResult,
(const char**)strs, n, availableLocales, status);
for(i=0;i<n;i++) {
uprv_free(strs[i]);
}
uprv_free(strs);
if(j != smallBuffer) {
#if defined(ULOC_DEBUG)
fprintf(stderr,"freeing j %p\n", j);
#endif
uprv_free(j);
}
strs.getAlias(), n, availableLocales, status);
return res;
}

Expand Down
Loading

0 comments on commit 7af97d2

Please sign in to comment.