[Backport] Security bug 1044570

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/deps/icu/+/2036290: Cherrypick fix for SEGV_MAPERR Avoid int32_t overflow in length addition See https://bugs.chromium.org/p/chromium/issues/detail?id=1044570 https://unicode-org.atlassian.net/browse/ICU-20958 https://github.com/unicode-org/icu/pull/971 Bug: chromium:1044570 Change-Id: I8be1a586e38da8cbf85a2f9420cc5a7d0d68b642 Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
author: Frank Tang <ftang@chromium.org> 2020-02-03 18:30:51 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2020-03-05 11:27:49 +0000
commit: da60616b9692a7885ac2b24f1fa584d18478cbe7 (patch)
tree: 71189549a41196c5d27648dafc1b472858c9ecd6
parent: e87caa4598d70afedda68428f15419e40131245e (diff)
download: qtwebengine-chromium-da60616b9692a7885ac2b24f1fa584d18478cbe7.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/chromium/third_party/icu/source/common/unistr.cpp b/chromium/third_party/icu/source/common/unistr.cpp
index 8f065158654..61f471da40e 100644
--- a/chromium/third_party/icu/source/common/unistr.cpp
+++ b/chromium/third_party/icu/source/common/unistr.cpp
@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
   }
 
   int32_t oldLength = length();
-  int32_t newLength = oldLength + srcLength;
+  int32_t newLength;
+  if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
+    setToBogus();
+    return *this;
+  }
 
   // Check for append onto ourself
   const UChar* oldArray = getArrayStart();
author	Frank Tang <ftang@chromium.org>	2020-02-03 18:30:51 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2020-03-05 11:27:49 +0000
commit	da60616b9692a7885ac2b24f1fa584d18478cbe7 (patch)
tree	71189549a41196c5d27648dafc1b472858c9ecd6
parent	e87caa4598d70afedda68428f15419e40131245e (diff)
download	qtwebengine-chromium-da60616b9692a7885ac2b24f1fa584d18478cbe7.tar.gz