fixes for bundled ICU (#983)

* update bundled libs * apply ICU ubsan patch from libreoffice This fixes a few things that are not real problems but ubsan doesn't like them, e.g., ofz#3926 . * ofz#3670 fix heap-buffer overflow in ICU
author: David Tardon <dtardon@redhat.com> 2017-11-13 22:46:46 +0100
committer: Abhishek Arya <inferno@chromium.org> 2017-11-13 13:46:46 -0800
commit: 0bc454039f6467413e544d071d0ba99bb3511c27 (patch)
tree: f3c048bad0d913267d9654aed0bacbc437ccf59f /projects
parent: 5c93c1ce19866e0ea2ccd103f967e037ffeba698 (diff)
4 files changed, 128 insertions, 7 deletions
diff --git a/projects/dlplibs/Dockerfile b/projects/dlplibs/Dockerfile
index 127bac3b..416c455b 100644
--- a/projects/dlplibs/Dockerfile
+++ b/projects/dlplibs/Dockerfile
@@ -21,12 +21,12 @@ RUN sed -i -e '/^#\s*deb-src.*\smain\s\+restricted/s/^#//' /etc/apt/sources.list
 # install build requirements
 RUN apt-get update && \
     apt-get install -y wget xz-utils autoconf automake libtool pkg-config \
-        gperf libboost-dev libglm-dev libmdds-dev
+        gperf libboost-dev libglm-dev libmdds-dev patch
 ADD https://dev-www.libreoffice.org/src/lcms2-2.8.tar.gz \
     https://dev-www.libreoffice.org/src/zlib-1.2.11.tar.xz \
     https://dev-www.libreoffice.org/src/libpng-1.6.34.tar.xz \
-    https://dev-www.libreoffice.org/src/libxml2-2.9.6.tar.gz \
-    http://download.icu-project.org/files/icu4c/60rc/icu4c-60rc-src.tgz \
+    https://dev-www.libreoffice.org/src/libxml2-2.9.7.tar.gz \
+    https://dev-www.libreoffice.org/src/icu4c-60_1-src.tgz \
     $SRC/
 # download fuzzing corpora
 ADD https://dev-www.libreoffice.org/corpus/olefuzzer_seed_corpus.zip \
@@ -117,4 +117,4 @@ RUN git clone --depth 1 git://gerrit.libreoffice.org/libabw
 RUN git clone --depth 1 git://gerrit.libreoffice.org/libetonyek
 RUN git clone --depth 1 git://gerrit.libreoffice.org/libqxp
 WORKDIR $SRC
-COPY build.sh abw.dict *.options $SRC/
+COPY build.sh abw.dict *.options *.patch $SRC/
diff --git a/projects/dlplibs/build.sh b/projects/dlplibs/build.sh
index e763490b..3aefd5ed 100755
--- a/projects/dlplibs/build.sh
+++ b/projects/dlplibs/build.sh
@@ -39,8 +39,8 @@ export LIBPNG_CFLAGS="-I$(pwd)"
 export LIBPNG_LIBS="-L$(pwd) -lpng16"
 popd
 
-tar -xzf $SRC/libxml2-2.9.6.tar.gz
-pushd libxml2-2.9.6
+tar -xzf $SRC/libxml2-2.9.7.tar.gz
+pushd libxml2-2.9.7
 ./configure --disable-shared --enable-static --disable-ipv6 --without-python --without-zlib --without-lzma
 make -j$(nproc)
 export LIBXML_CFLAGS="-I$(pwd)/include"
@@ -49,8 +49,10 @@ export XML_CFLAGS="$LIBXML_CFLAGS"
 export XML_LIBS="$LIBXML_LIBS"
 popd
 
-tar -xzf $SRC/icu4c-60rc-src.tgz
+tar -xzf $SRC/icu4c-60_1-src.tgz
 pushd icu/source
+patch -p2 < $SRC/icu4c-ubsan.patch
+patch -p3 < $SRC/ofz3670.patch
 ./configure --disable-shared --enable-static --with-data-packaging=static --disable-dyload --disable-strict \
     --disable-layout --disable-samples --disable-extras --disable-icuio --disable-plugins \
     CPPFLAGS=-DU_USE_STRTOD_L=0
diff --git a/projects/dlplibs/icu4c-ubsan.patch b/projects/dlplibs/icu4c-ubsan.patch
new file mode 100644
index 00000000..9f6aa3fb
--- /dev/null
+++ b/projects/dlplibs/icu4c-ubsan.patch
@@ -0,0 +1,91 @@
+diff -ur icu.org/source/common/rbbidata.h icu/source/common/rbbidata.h
+--- icu.org/source/common/rbbidata.h	2017-02-03 19:57:23.000000000 +0100
++++ icu/source/common/rbbidata.h	2017-04-21 22:46:25.371651160 +0200
+@@ -115,7 +115,7 @@
+                                     /*     StatusTable of the set of matching             */
+                                     /*     tags (rule status values)                      */
+     int16_t          fReserved;
+-    uint16_t         fNextState[2]; /*  Next State, indexed by char category.             */
++    uint16_t         fNextState[1]; /*  Next State, indexed by char category.             */
+                                     /*  This array does not have two elements             */
+                                     /*    Array Size is actually fData->fHeader->fCatCount         */
+                                     /*    CAUTION:  see RBBITableBuilder::getTableSize()  */
+@@ -128,7 +128,7 @@
+     uint32_t         fRowLen;       /*  Length of a state table row, in bytes.            */
+     uint32_t         fFlags;        /*  Option Flags for this state table                 */
+     uint32_t         fReserved;     /*  reserved                                          */
+-    char             fTableData[4]; /*  First RBBIStateTableRow begins here.              */
++    char             fTableData[1]; /*  First RBBIStateTableRow begins here.              */
+                                     /*    (making it char[] simplifies ugly address       */
+                                     /*     arithmetic for indexing variable length rows.) */
+ };
+diff -ur icu.org/source/common/rbbitblb.cpp icu/source/common/rbbitblb.cpp
+--- icu.org/source/common/rbbitblb.cpp	2017-01-20 01:20:31.000000000 +0100
++++ icu/source/common/rbbitblb.cpp	2017-04-21 22:46:25.373651159 +0200
+@@ -1095,15 +1095,15 @@
+         return 0;
+     }
+ 
+-    size    = sizeof(RBBIStateTable) - 4;    // The header, with no rows to the table.
++    size    = offsetof(RBBIStateTable, fTableData);    // The header, with no rows to the table.
+ 
+     numRows = fDStates->size();
+     numCols = fRB->fSetBuilder->getNumCharCategories();
+ 
+-    //  Note  The declaration of RBBIStateTableRow is for a table of two columns.
+-    //        Therefore we subtract two from numCols when determining
++    //  Note  The declaration of RBBIStateTableRow is for a table of one columns.
++    //        Therefore we subtract one from numCols when determining
+     //        how much storage to add to a row for the total columns.
+-    rowSize = sizeof(RBBIStateTableRow) + sizeof(uint16_t)*(numCols-2);
++    rowSize = sizeof(RBBIStateTableRow) + sizeof(uint16_t)*(numCols-1);
+     size   += numRows * rowSize;
+     return size;
+ }
+@@ -1133,7 +1133,7 @@
+     }
+ 
+     table->fRowLen    = sizeof(RBBIStateTableRow) +
+-                            sizeof(uint16_t) * (fRB->fSetBuilder->getNumCharCategories() - 2);
++                            sizeof(uint16_t) * (fRB->fSetBuilder->getNumCharCategories() - 1);
+     table->fNumStates = fDStates->size();
+     table->fFlags     = 0;
+     if (fRB->fLookAheadHardBreak) {
+diff -ur icu.org/source/common/ubidiimp.h icu/source/common/ubidiimp.h
+--- icu.org/source/common/ubidiimp.h	2017-02-03 19:57:23.000000000 +0100
++++ icu/source/common/ubidiimp.h	2017-04-21 22:46:25.374651159 +0200
+@@ -198,8 +198,8 @@
+ /* in a Run, logicalStart will get this bit set if the run level is odd */
+ #define INDEX_ODD_BIT (1UL<<31)
+ 
+-#define MAKE_INDEX_ODD_PAIR(index, level) ((index)|((int32_t)(level)<<31))
+-#define ADD_ODD_BIT_FROM_LEVEL(x, level)  ((x)|=((int32_t)(level)<<31))
++#define MAKE_INDEX_ODD_PAIR(index, level) ((index)|((uint32_t)(level)<<31))
++#define ADD_ODD_BIT_FROM_LEVEL(x, level)  ((x)|=((uint32_t)(level)<<31))
+ #define REMOVE_ODD_BIT(x)                 ((x)&=~INDEX_ODD_BIT)
+ 
+ #define GET_INDEX(x)   ((x)&~INDEX_ODD_BIT)
+diff -ur icu.org/source/common/ucmndata.cpp icu/source/common/ucmndata.cpp
+--- icu.org/source/common/ucmndata.cpp	2017-03-08 16:34:47.000000000 +0100
++++ icu/source/common/ucmndata.cpp	2017-04-21 22:46:25.376651159 +0200
+@@ -77,7 +77,7 @@
+ typedef struct  {
+     uint32_t          count;
+     uint32_t          reserved;
+-    PointerTOCEntry   entry[2];   /* Actual size is from count. */
++    PointerTOCEntry   entry[1];   /* Actual size is from count. */
+ }  PointerTOC;
+ 
+ 
+diff -ur icu.org/source/common/ucmndata.h icu/source/common/ucmndata.h
+--- icu.org/source/common/ucmndata.h	2017-01-20 01:20:31.000000000 +0100
++++ icu/source/common/ucmndata.h	2017-04-21 22:46:25.377651159 +0200
+@@ -52,7 +52,7 @@
+ 
+ typedef struct {
+     uint32_t count;
+-    UDataOffsetTOCEntry entry[2];    /* Actual size of array is from count. */
++    UDataOffsetTOCEntry entry[1];    /* Actual size of array is from count. */
+ } UDataOffsetTOC;
+ 
+ /**
diff --git a/projects/dlplibs/ofz3670.patch b/projects/dlplibs/ofz3670.patch
new file mode 100644
index 00000000..f59a5b1a
--- /dev/null
+++ b/projects/dlplibs/ofz3670.patch
@@ -0,0 +1,28 @@
+From b0537ec9a7047d55d365a64e9ec9559cf1f28792 Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Mon, 13 Nov 2017 16:56:23 +0100
+Subject: [PATCH] avoid target buffer overflow
+
+---
+ icu4c/source/common/ucnv_u8.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/icu4c/source/common/ucnv_u8.cpp b/icu4c/source/common/ucnv_u8.cpp
+index 951988ed9..caaf18ae3 100644
+--- a/icu4c/source/common/ucnv_u8.cpp
++++ b/icu4c/source/common/ucnv_u8.cpp
+@@ -770,6 +770,11 @@ ucnv_UTF8FromUTF8(UConverterFromUnicodeArgs *pFromUArgs,
+             oldToULength=0;
+             toULength=1;
+             toULimit=U8_COUNT_BYTES_NON_ASCII(b);
++            if (toULimit > (const uint8_t *)pFromUArgs->targetLimit - target)
++            {
++                *pErrorCode = U_BUFFER_OVERFLOW_ERROR;
++                break;
++            }
+             c=b;
+ moreBytes:
+             while(toULength<toULimit) {
+-- 
+2.14.1
+
author	David Tardon <dtardon@redhat.com>	2017-11-13 22:46:46 +0100
committer	Abhishek Arya <inferno@chromium.org>	2017-11-13 13:46:46 -0800
commit	0bc454039f6467413e544d071d0ba99bb3511c27 (patch)
tree	f3c048bad0d913267d9654aed0bacbc437ccf59f /projects
parent	5c93c1ce19866e0ea2ccd103f967e037ffeba698 (diff)