From f167f4e627d9551d18fade56c899f13c0a64032f Mon Sep 17 00:00:00 2001 From: lihao Date: Fri, 18 Mar 2022 18:27:52 +0800 Subject: [PATCH] fixed 736ddef from https://gitee.com/laigerendaqiu/third_party_flutter/pulls/60 fix CVE-2020-21913 and CVE-2020-10531 bugs Signed-off-by: lihao Change-Id: I9fcad98d07b03d328f1211679ce67daf6216b92b --- .../externals/icu/source/common/unistr.cpp | 7 +++++-- .../icu/source/tools/pkgdata/pkgdata.cpp | 16 ++++++++-------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/skia/third_party/externals/icu/source/common/unistr.cpp b/skia/third_party/externals/icu/source/common/unistr.cpp index c8b6c0a3..1e20a8d8 100644 --- a/skia/third_party/externals/icu/source/common/unistr.cpp +++ b/skia/third_party/externals/icu/source/common/unistr.cpp @@ -1564,8 +1564,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng } int32_t oldLength = length(); - int32_t newLength = oldLength + srcLength; - + int32_t newLength; + if (uprv_add32_overflow(oldLength, srcLength, &newLength)) { + setToBogus(); + return *this; + } // Check for append onto ourself const UChar* oldArray = getArrayStart(); if (isBufferWritable() && diff --git a/skia/third_party/externals/icu/source/tools/pkgdata/pkgdata.cpp b/skia/third_party/externals/icu/source/tools/pkgdata/pkgdata.cpp index b2cd0ab5..8a225927 100644 --- a/skia/third_party/externals/icu/source/tools/pkgdata/pkgdata.cpp +++ b/skia/third_party/externals/icu/source/tools/pkgdata/pkgdata.cpp @@ -66,6 +66,8 @@ U_DEFINE_LOCAL_OPEN_POINTER(LocalPipeFilePointer, FILE, pclose); #endif +using icu::LocalMemory; + static void loadLists(UPKGOptions *o, UErrorCode *status); static int32_t pkg_executeOptions(UPKGOptions *o); @@ -1507,9 +1509,7 @@ static int32_t pkg_generateLibraryFile(const char *targetDir, const char mode, c static int32_t pkg_createWithAssemblyCode(const char *targetDir, const char mode, const char *gencFilePath) { char tempObjectFile[SMALL_BUFFER_MAX_SIZE] = ""; - char *cmd; int32_t result = 0; - int32_t length = 0; /* Remove the ending .s and replace it with .o for the new object file. */ @@ -1519,22 +1519,22 @@ static int32_t pkg_createWithAssemblyCode(const char *targetDir, const char mode length = uprv_strlen(pkgDataFlags[COMPILER]) + uprv_strlen(pkgDataFlags[LIBFLAGS]) + uprv_strlen(tempObjectFile) + uprv_strlen(gencFilePath) + BUFFER_PADDING_SIZE; - cmd = (char *)uprv_malloc(sizeof(char) * length); - if (cmd == NULL) { + LocalMemory cmd((char *)uprv_malloc(sizeof(char) * length)); + if (cmd.isNull()) { return -1; } /* Generate the object file. */ - sprintf(cmd, "%s %s -o %s %s", + sprintf(cmd.getAlias(), "%s %s -o %s %s", pkgDataFlags[COMPILER], pkgDataFlags[LIBFLAGS], tempObjectFile, gencFilePath); - result = runCommand(cmd); - uprv_free(cmd); + result = runCommand(cmd.getAlias()); + if (result != 0) { - fprintf(stderr, "Error creating with assembly code. Failed command: %s\n", cmd); + fprintf(stderr, "Error creating with assembly code. Failed command: %s\n", cmd.getAlias()); return result; } -- Gitee