[icu/f19] Resolves: rhbz#1015594 CVE-2013-2924 use-after-free

Wed Oct 9 16:12:59 UTC 2013

commit 0006de77b5b32836130b7cc5c83f86a2dc6f139f
Author: Eike Rathke <erack at redhat.com>
Date:   Wed Oct 9 17:27:41 2013 +0200

    Resolves: rhbz#1015594 CVE-2013-2924 use-after-free
    
    Added icu.10318.CVE-2013-2924_changeset_34076.patch from
    https://ssl.icu-project.org/trac/changeset/34076 assigned to
    https://ssl.icu-project.org/trac/ticket/10318

 icu.10318.CVE-2013-2924_changeset_34076.patch |   36 +++++++++++++++++++++++++
 icu.spec                                      |    7 ++++-
 2 files changed, 42 insertions(+), 1 deletions(-)
---

diff --git a/icu.10318.CVE-2013-2924_changeset_34076.patch b/icu.10318.CVE-2013-2924_changeset_34076.patch
new file mode 100644
index 0000000..165d843
--- /dev/null
+++ b/icu.10318.CVE-2013-2924_changeset_34076.patch
@@ -0,0 +1,36 @@
+Index: /icu/trunk/source/i18n/csrucode.cpp
+===================================================================
+--- orig.icu/source/i18n/csrucode.cpp	(revision 34075)
++++ icu/source/i18n/csrucode.cpp	(revision 34076)
+@@ -1,5 +1,5 @@
+ /*
+  **********************************************************************
+- *   Copyright (C) 2005-2012, International Business Machines
++ *   Copyright (C) 2005-2013, International Business Machines
+  *   Corporation and others.  All Rights Reserved.
+  **********************************************************************
+@@ -34,6 +34,7 @@
+     const uint8_t *input = textIn->fRawInput;
+     int32_t confidence = 0;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFE && input[1] == 0xFF) {
++    if (length >=2 && input[0] == 0xFE && input[1] == 0xFF) {
+         confidence = 100;
+     }
+@@ -58,6 +59,7 @@
+     const uint8_t *input = textIn->fRawInput;
+     int32_t confidence = 0;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
++    if (length >= 4 && input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
+         confidence = 100;
+     }
+@@ -82,5 +84,5 @@
+     int32_t confidence = 0;
+ 
+-    if (getChar(input, 0) == 0x0000FEFFUL) {
++    if (limit > 0 && getChar(input, 0) == 0x0000FEFFUL) {
+         hasBOM = TRUE;
+     }
diff --git a/icu.spec b/icu.spec
index f58617b..fa0334c 100644
--- a/icu.spec
+++ b/icu.spec
@@ -1,6 +1,6 @@
 Name:      icu
 Version:   50.1.2
-Release:   8%{?dist}
+Release:   9%{?dist}
 Summary:   International Components for Unicode
 Group:     Development/Tools
 License:   MIT and UCD and Public Domain
@@ -20,6 +20,7 @@ Patch4: icu.9948.mlym-crash.patch
 Patch5: gennorm2-man.patch
 Patch6: icuinfo-man.patch
 Patch7: icu.10143.memory.leak.crash.patch
+Patch8: icu.10318.CVE-2013-2924_changeset_34076.patch
 
 %description
 Tools and utilities for developing with icu.
@@ -70,6 +71,7 @@ BuildArch: noarch
 %patch5 -p1 -b .gennorm2-man.patch
 %patch6 -p1 -b .icuinfo-man.patch
 %patch7 -p1 -b .icu10143.memory.leak.crash.patch
+%patch8 -p1 -b .icu10318.CVE-2013-2924_changeset_34076.patch
 
 %build
 cd source
@@ -177,6 +179,9 @@ make %{?_smp_mflags} -C source check
 %doc source/__docs/%{name}/html/*
 
 %changelog
+* Wed Oct 09 2013 Eike Rathke <erack at redhat.com> - 50.1.2-9
+- Resolves: rhbz#1015594 CVE-2013-2924 use-after-free
+
 * Fri Oct 04 2013 Eike Rathke <erack at redhat.com> - 50.1.2-8
 - added %{?_isa} to Requires for multi-arch systems
 
