Date: Tue, 20 Dec 2011 12:15:11 GMT From: Andrei Lavreniyuk <andy.lavr@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/163476: [SECURITY] out of bounds access in _canonicalize devel/icu Message-ID: <201112201215.pBKCFBR7058105@red.freebsd.org> Resent-Message-ID: <201112201220.pBKCKBcv048788@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 163476 >Category: ports >Synopsis: [SECURITY] out of bounds access in _canonicalize devel/icu >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Dec 20 12:20:11 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Andrei Lavreniyuk >Release: FreeBSD 8.2-STABLE >Organization: Technica-03, Inc. >Environment: FreeBSD datacenter.technica-03.local 8.2-STABLE FreeBSD 8.2-STABLE #0: Tue Dec 13 13:03:09 EET 2011 root@datacenter.technica-03.local:/usr/obj/usr/src/sys/SMP64 amd64 >Description: http://bugs.icu-project.org/trac/ticket/8984 >How-To-Repeat: >Fix: Patch attached with submission follows: --- common/uloc.cpp +++ common/uloc.cpp @@ -1797,7 +1797,7 @@ int32_t variantLen = _deleteVariant(variant, uprv_min(variantSize, (nameCapacity-len)), variantToCompare, n); len -= variantLen; if (variantLen > 0) { - if (name[len-1] == '_') { /* delete trailing '_' */ + if (len > 0 && name[len-1] == '_') { /* delete trailing '_' */ --len; } addKeyword = VARIANT_MAP[j].keyword; @@ -1805,7 +1805,7 @@ break; } } - if (name[len-1] == '_') { /* delete trailing '_' */ + if (len > 0 && len <= nameCapacity && name[len-1] == '_') { /* delete trailing '_' */ --len; } } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201112201215.pBKCFBR7058105>