Skip to content

Commit

Permalink
[Backport] Security bug 1044570
Browse files Browse the repository at this point in the history 
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/deps/icu/+/2036290:
Cherrypick fix for SEGV_MAPERR

Avoid int32_t overflow in length addition

See
https://bugs.chromium.org/p/chromium/issues/detail?id=1044570
https://unicode-org.atlassian.net/browse/ICU-20958
unicode-org/icu#971

Bug: chromium:1044570
Change-Id: I8be1a586e38da8cbf85a2f9420cc5a7d0d68b642
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
  • Loading branch information
@FrankYFTang @mibrunin
FrankYFTang authored and mibrunin committed Mar 20, 2020
1 parent a75e60a commit 24e36e9
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion chromium/third_party/icu/source/common/unistr.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1544,7 +1544,12 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
}

int32_t oldLength = length();
int32_t newLength = oldLength + srcLength;
int32_t newLength;
if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
setToBogus();
return *this;
}

// optimize append() onto a large-enough, owned string
if((newLength <= getCapacity() && isBufferWritable()) ||
cloneArrayIfNeeded(newLength, getGrowCapacity(newLength))) {
Expand Down

0 comments on commit 24e36e9

Please sign in to comment.