ports/163476: [SECURITY] out of bounds access in _canonicalize devel/icu
Andrei Lavreniyuk
andy.lavr at gmail.com
Tue Dec 20 12:20:11 UTC 2011
>Number: 163476
>Category: ports
>Synopsis: [SECURITY] out of bounds access in _canonicalize devel/icu
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 20 12:20:11 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Andrei Lavreniyuk
>Release: FreeBSD 8.2-STABLE
>Organization:
Technica-03, Inc.
>Environment:
FreeBSD datacenter.technica-03.local 8.2-STABLE FreeBSD 8.2-STABLE #0: Tue Dec 13 13:03:09 EET 2011 root at datacenter.technica-03.local:/usr/obj/usr/src/sys/SMP64 amd64
>Description:
http://bugs.icu-project.org/trac/ticket/8984
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
--- common/uloc.cpp
+++ common/uloc.cpp
@@ -1797,7 +1797,7 @@
int32_t variantLen = _deleteVariant(variant, uprv_min(variantSize, (nameCapacity-len)), variantToCompare, n);
len -= variantLen;
if (variantLen > 0) {
- if (name[len-1] == '_') { /* delete trailing '_' */
+ if (len > 0 && name[len-1] == '_') { /* delete trailing '_' */
--len;
}
addKeyword = VARIANT_MAP[j].keyword;
@@ -1805,7 +1805,7 @@
break;
}
}
- if (name[len-1] == '_') { /* delete trailing '_' */
+ if (len > 0 && len <= nameCapacity && name[len-1] == '_') { /* delete trailing '_' */
--len;
}
}
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list