From da60616b9692a7885ac2b24f1fa584d18478cbe7 Mon Sep 17 00:00:00 2001
From: Frank Tang <ftang@chromium.org>
Date: Mon, 3 Feb 2020 18:30:51 +0000
Subject: [Backport] Security bug 1044570
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/deps/icu/+/2036290:
Cherrypick fix for SEGV_MAPERR

Avoid int32_t overflow in length addition

See
https://bugs.chromium.org/p/chromium/issues/detail?id=1044570
https://unicode-org.atlassian.net/browse/ICU-20958
https://github.com/unicode-org/icu/pull/971

Bug: chromium:1044570
Change-Id: I8be1a586e38da8cbf85a2f9420cc5a7d0d68b642
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 chromium/third_party/icu/source/common/unistr.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/chromium/third_party/icu/source/common/unistr.cpp b/chromium/third_party/icu/source/common/unistr.cpp
index 8f065158654..61f471da40e 100644
--- a/chromium/third_party/icu/source/common/unistr.cpp
+++ b/chromium/third_party/icu/source/common/unistr.cpp
@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
   }
 
   int32_t oldLength = length();
-  int32_t newLength = oldLength + srcLength;
+  int32_t newLength;
+  if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
+    setToBogus();
+    return *this;
+  }
 
   // Check for append onto ourself
   const UChar* oldArray = getArrayStart();
-- 
cgit v1.2.1