diff options
author | Frank Tang <ftang@chromium.org> | 2020-02-03 18:30:51 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-05 11:27:49 +0000 |
commit | da60616b9692a7885ac2b24f1fa584d18478cbe7 (patch) | |
tree | 71189549a41196c5d27648dafc1b472858c9ecd6 | |
parent | e87caa4598d70afedda68428f15419e40131245e (diff) | |
download | qtwebengine-chromium-da60616b9692a7885ac2b24f1fa584d18478cbe7.tar.gz |
[Backport] Security bug 1044570
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/deps/icu/+/2036290:
Cherrypick fix for SEGV_MAPERR
Avoid int32_t overflow in length addition
See
https://bugs.chromium.org/p/chromium/issues/detail?id=1044570
https://unicode-org.atlassian.net/browse/ICU-20958
https://github.com/unicode-org/icu/pull/971
Bug: chromium:1044570
Change-Id: I8be1a586e38da8cbf85a2f9420cc5a7d0d68b642
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
-rw-r--r-- | chromium/third_party/icu/source/common/unistr.cpp | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/chromium/third_party/icu/source/common/unistr.cpp b/chromium/third_party/icu/source/common/unistr.cpp index 8f065158654..61f471da40e 100644 --- a/chromium/third_party/icu/source/common/unistr.cpp +++ b/chromium/third_party/icu/source/common/unistr.cpp @@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng } int32_t oldLength = length(); - int32_t newLength = oldLength + srcLength; + int32_t newLength; + if (uprv_add32_overflow(oldLength, srcLength, &newLength)) { + setToBogus(); + return *this; + } // Check for append onto ourself const UChar* oldArray = getArrayStart(); |