From 7d3e23201198a114d62d0578bfa0b11e760d1d68 Mon Sep 17 00:00:00 2001 From: zppzhangpan Date: Thu, 31 Jul 2025 16:13:08 +0800 Subject: [PATCH] fix CVE-2025-5222 --- ...t-Adding-UChar*-method-in-CharString.patch | 96 +++++++++++ backport-CVE-2025-5222.patch | 163 ++++++++++++++++++ icu.spec | 7 +- 3 files changed, 265 insertions(+), 1 deletion(-) create mode 100644 backport-Adding-UChar*-method-in-CharString.patch create mode 100644 backport-CVE-2025-5222.patch diff --git a/backport-Adding-UChar*-method-in-CharString.patch b/backport-Adding-UChar*-method-in-CharString.patch new file mode 100644 index 0000000..068f7b8 --- /dev/null +++ b/backport-Adding-UChar*-method-in-CharString.patch @@ -0,0 +1,96 @@ +From dd7235624ce837183d96598a1958f6b5968a72f8 Mon Sep 17 00:00:00 2001 +From: Shane Carr +Date: Fri, 14 Sep 2018 00:51:36 -0700 +Subject: [PATCH] ICU-11276 Adding UChar* method in CharString. + +--- + source/common/charstr.cpp | 12 +++++++++--- + source/common/charstr.h | 1 + + source/common/cmemory.h | 4 ++++ + source/common/uinvchar.h | 16 ---------------- + 4 files changed, 14 insertions(+), 19 deletions(-) + +diff --git a/source/common/charstr.cpp b/source/common/charstr.cpp +index 0b785e9c0107..852cc5394577 100644 +--- a/source/common/charstr.cpp ++++ b/source/common/charstr.cpp +@@ -126,15 +126,21 @@ char *CharString::getAppendBuffer(int32_t minCapacity, + } + + CharString &CharString::appendInvariantChars(const UnicodeString &s, UErrorCode &errorCode) { ++ return appendInvariantChars(s.getBuffer(), s.length(), errorCode); ++} ++ ++CharString &CharString::appendInvariantChars(const UChar* uchars, int32_t ucharsLen, UErrorCode &errorCode) { + if(U_FAILURE(errorCode)) { + return *this; + } +- if (!uprv_isInvariantUnicodeString(s)) { ++ if (!uprv_isInvariantUString(uchars, ucharsLen)) { + errorCode = U_INVARIANT_CONVERSION_ERROR; + return *this; + } +- if(ensureCapacity(len+s.length()+1, 0, errorCode)) { +- len+=s.extract(0, 0x7fffffff, buffer.getAlias()+len, buffer.getCapacity()-len, US_INV); ++ if(ensureCapacity(len+ucharsLen+1, 0, errorCode)) { ++ u_UCharsToChars(uchars, buffer.getAlias()+len, ucharsLen); ++ len += ucharsLen; ++ buffer[len] = 0; + } + return *this; + } +diff --git a/source/common/charstr.h b/source/common/charstr.h +index 86f69c383a0b..1a97e01988f9 100644 +--- a/source/common/charstr.h ++++ b/source/common/charstr.h +@@ -123,6 +123,7 @@ class U_COMMON_API CharString : public UMemory { + UErrorCode &errorCode); + + CharString &appendInvariantChars(const UnicodeString &s, UErrorCode &errorCode); ++ CharString &appendInvariantChars(const UChar* uchars, int32_t ucharsLen, UErrorCode& errorCode); + + /** + * Appends a filename/path part, e.g., a directory name. +diff --git a/source/common/cmemory.h b/source/common/cmemory.h +index e3532c759e1e..8f3b610de466 100644 +--- a/source/common/cmemory.h ++++ b/source/common/cmemory.h +@@ -279,6 +279,10 @@ inline T *LocalMemory::allocateInsteadAndCopy(int32_t newCapacity, int32_t le + * + * Unlike LocalMemory and LocalArray, this class never adopts + * (takes ownership of) another array. ++ * ++ * WARNING: MaybeStackArray only works with primitive (plain-old data) types. ++ * It does NOT know how to call a destructor! If you work with classes with ++ * destructors, consider LocalArray in localpointer.h. + */ + template + class MaybeStackArray { +diff --git a/source/common/uinvchar.h b/source/common/uinvchar.h +index c4f9f88b9ad3..56dddfa8fde9 100644 +--- a/source/common/uinvchar.h ++++ b/source/common/uinvchar.h +@@ -53,22 +53,6 @@ uprv_isInvariantString(const char *s, int32_t length); + U_INTERNAL UBool U_EXPORT2 + uprv_isInvariantUString(const UChar *s, int32_t length); + +-#ifdef __cplusplus +- +-/** +- * Check if a UnicodeString only contains invariant characters. +- * See utypes.h for details. +- * +- * @param s Input string. +- * @return TRUE if s contains only invariant characters. +- */ +-U_INTERNAL inline UBool U_EXPORT2 +-uprv_isInvariantUnicodeString(const icu::UnicodeString &s) { +- return uprv_isInvariantUString(icu::toUCharPtr(s.getBuffer()), s.length()); +-} +- +-#endif /* __cplusplus */ +- + /** + * \def U_UPPER_ORDINAL + * Get the ordinal number of an uppercase invariant character + diff --git a/backport-CVE-2025-5222.patch b/backport-CVE-2025-5222.patch new file mode 100644 index 0000000..623e63b --- /dev/null +++ b/backport-CVE-2025-5222.patch @@ -0,0 +1,163 @@ +From 6772dc101867bf31de9e2ce35b4bef9de1ae4aad Mon Sep 17 00:00:00 2001 +From: Frank Tang +Date: Wed, 22 Jan 2025 11:50:59 -0800 +Subject: ICU-22973 Fix buffer overflow by using CharString + +--- + source/tools/genrb/parse.cpp | 49 ++++++++++++++++++------------ + 1 file changed, 29 insertions(+), 20 deletions(-) + +diff --git a/source/tools/genrb/parse.cpp b/source/tools/genrb/parse.cpp +index 18a8c76dbc5..933c2647918 100644 +--- a/source/tools/genrb/parse.cpp ++++ b/source/tools/genrb/parse.cpp +@@ -818,7 +818,7 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + struct UString *tokenValue; + struct UString comment; + enum ETokenType token; +- char subtag[1024]; ++ CharString subtag; + UnicodeString rules; + UBool haveRules = FALSE; + UVersionInfo version; +@@ -854,15 +854,15 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + return NULL; + } + +- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1); +- ++ subtag.clear(); ++ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status); + if (U_FAILURE(*status)) + { + res_close(result); + return NULL; + } + +- member = parseResource(state, subtag, NULL, status); ++ member = parseResource(state, subtag.data(), NULL, status); + + if (U_FAILURE(*status)) + { +@@ -873,7 +873,7 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + { + // Ignore the parsed resources, continue parsing. + } +- else if (uprv_strcmp(subtag, "Version") == 0 && member->isString()) ++ else if (uprv_strcmp(subtag.data(), "Version") == 0 && member->isString()) + { + StringResource *sr = static_cast(member); + char ver[40]; +@@ -890,11 +890,11 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + result->add(member, line, *status); + member = NULL; + } +- else if(uprv_strcmp(subtag, "%%CollationBin")==0) ++ else if(uprv_strcmp(subtag.data(), "%%CollationBin")==0) + { + /* discard duplicate %%CollationBin if any*/ + } +- else if (uprv_strcmp(subtag, "Sequence") == 0 && member->isString()) ++ else if (uprv_strcmp(subtag.data(), "Sequence") == 0 && member->isString()) + { + StringResource *sr = static_cast(member); + rules = sr->fString; +@@ -1047,7 +1047,7 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n + struct UString *tokenValue; + struct UString comment; + enum ETokenType token; +- char subtag[1024], typeKeyword[1024]; ++ CharString subtag, typeKeyword; + uint32_t line; + + result = table_open(state->bundle, tag, NULL, status); +@@ -1089,7 +1089,8 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n + return NULL; + } + +- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1); ++ subtag.clear(); ++ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status); + + if (U_FAILURE(*status)) + { +@@ -1097,9 +1098,9 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n + return NULL; + } + +- if (uprv_strcmp(subtag, "default") == 0) ++ if (uprv_strcmp(subtag.data(), "default") == 0) + { +- member = parseResource(state, subtag, NULL, status); ++ member = parseResource(state, subtag.data(), NULL, status); + + if (U_FAILURE(*status)) + { +@@ -1118,22 +1119,29 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n + if(token == TOK_OPEN_BRACE) { + token = getToken(state, &tokenValue, &comment, &line, status); + TableResource *collationRes; +- if (keepCollationType(subtag)) { +- collationRes = table_open(state->bundle, subtag, NULL, status); ++ if (keepCollationType(subtag.data())) { ++ collationRes = table_open(state->bundle, subtag.data(), NULL, status); + } else { + collationRes = NULL; + } + // need to parse the collation data regardless +- collationRes = addCollation(state, collationRes, subtag, startline, status); ++ collationRes = addCollation(state, collationRes, subtag.data(), startline, status); + if (collationRes != NULL) { + result->add(collationRes, startline, *status); + } + } else if(token == TOK_COLON) { /* right now, we'll just try to see if we have aliases */ + /* we could have a table too */ + token = peekToken(state, 1, &tokenValue, &line, &comment, status); +- u_UCharsToChars(tokenValue->fChars, typeKeyword, u_strlen(tokenValue->fChars) + 1); +- if(uprv_strcmp(typeKeyword, "alias") == 0) { +- member = parseResource(state, subtag, NULL, status); ++ typeKeyword.clear(); ++ typeKeyword.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status); ++ if (U_FAILURE(*status)) ++ { ++ res_close(result); ++ return nullptr; ++ } ++ ++ if(uprv_strcmp(typeKeyword.data(), "alias") == 0) { ++ member = parseResource(state, subtag.data(), NULL, status); + if (U_FAILURE(*status)) + { + res_close(result); +@@ -1175,7 +1183,7 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star + struct UString *tokenValue=NULL; + struct UString comment; + enum ETokenType token; +- char subtag[1024]; ++ CharString subtag; + uint32_t line; + UBool readToken = FALSE; + +@@ -1214,7 +1222,8 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star + } + + if(uprv_isInvariantUString(tokenValue->fChars, -1)) { +- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1); ++ subtag.clear(); ++ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status); + } else { + *status = U_INVALID_FORMAT_ERROR; + error(line, "invariant characters required for table keys"); +@@ -1227,7 +1236,7 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star + return NULL; + } + +- member = parseResource(state, subtag, &comment, status); ++ member = parseResource(state, subtag.data(), &comment, status); + + if (member == NULL || U_FAILURE(*status)) + { +-- +2.30.2 + + diff --git a/icu.spec b/icu.spec index e8e3c00..a1a536d 100644 --- a/icu.spec +++ b/icu.spec @@ -1,6 +1,6 @@ Name: icu Version: 62.1 -Release: 7 +Release: 8 Summary: International Components for Unicode License: MIT and UCD and Public Domain URL: http://site.icu-project.org/ @@ -16,6 +16,8 @@ Patch2: icuinfo-man.patch Patch6000: icu-fix-memory-leak.patch Patch6001: CVE-2020-10531.patch Patch6002: backport-CVE-2020-21913.patch +Patch6003: backport-Adding-UChar*-method-in-CharString.patch +Patch6004: backport-CVE-2025-5222.patch Patch9000: delete-taboo-words.patch %description @@ -130,6 +132,9 @@ LD_LIBRARY_PATH=lib:stubdata:tools/ctestfw:$LD_LIBRARY_PATH bin/uconv -l %changelog +* Thu Jul 31 2025 zhangpan - 62.1-8 +- fix CVE-2025-5222 + * Tue Jun 13 2023 zhangpan - 62.1-7 - delete taboo words and redundant files -- Gitee