Rooba
/
oss-fuzz
mirror of https://github.com/google/oss-fuzz.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixes for bundled ICU (#983) 

* update bundled libs

* apply ICU ubsan patch from libreoffice

This fixes a few things that are not real problems but ubsan doesn't
like them, e.g., ofz#3926 .

* ofz#3670 fix heap-buffer overflow in ICU
This commit is contained in:
David Tardon 2017-11-13 22:46:46 +01:00 committed by Abhishek Arya
parent 5c93c1ce19
commit 0bc454039f
4 changed files with 128 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
projects/dlplibs/Dockerfile
View File

@ -21,12 +21,12 @@ RUN sed -i -e '/^#\s*deb-src.*\smain\s\+restricted/s/^#//' /etc/apt/sources.list
# install build requirements
RUN apt-get update && \
apt-get install -y wget xz-utils autoconf automake libtool pkg-config \
gperf libboost-dev libglm-dev libmdds-dev
gperf libboost-dev libglm-dev libmdds-dev patch
ADD https://dev-www.libreoffice.org/src/lcms2-2.8.tar.gz \
https://dev-www.libreoffice.org/src/zlib-1.2.11.tar.xz \
https://dev-www.libreoffice.org/src/libpng-1.6.34.tar.xz \
https://dev-www.libreoffice.org/src/libxml2-2.9.6.tar.gz \
http://download.icu-project.org/files/icu4c/60rc/icu4c-60rc-src.tgz \
https://dev-www.libreoffice.org/src/libxml2-2.9.7.tar.gz \
https://dev-www.libreoffice.org/src/icu4c-60_1-src.tgz \
$SRC/
# download fuzzing corpora
ADD https://dev-www.libreoffice.org/corpus/olefuzzer_seed_corpus.zip \
@ -117,4 +117,4 @@ RUN git clone --depth 1 git://gerrit.libreoffice.org/libabw
RUN git clone --depth 1 git://gerrit.libreoffice.org/libetonyek
RUN git clone --depth 1 git://gerrit.libreoffice.org/libqxp
WORKDIR $SRC
COPY build.sh abw.dict *.options $SRC/
COPY build.sh abw.dict *.options *.patch $SRC/

8
projects/dlplibs/build.sh
View File

@ -39,8 +39,8 @@ export LIBPNG_CFLAGS="-I$(pwd)"
export LIBPNG_LIBS="-L$(pwd) -lpng16"
popd
tar -xzf $SRC/libxml2-2.9.6.tar.gz
pushd libxml2-2.9.6
tar -xzf $SRC/libxml2-2.9.7.tar.gz
pushd libxml2-2.9.7
./configure --disable-shared --enable-static --disable-ipv6 --without-python --without-zlib --without-lzma
make -j$(nproc)
export LIBXML_CFLAGS="-I$(pwd)/include"
@ -49,8 +49,10 @@ export XML_CFLAGS="$LIBXML_CFLAGS"
export XML_LIBS="$LIBXML_LIBS"
popd
tar -xzf $SRC/icu4c-60rc-src.tgz
tar -xzf $SRC/icu4c-60_1-src.tgz
pushd icu/source
patch -p2 < $SRC/icu4c-ubsan.patch
patch -p3 < $SRC/ofz3670.patch
./configure --disable-shared --enable-static --with-data-packaging=static --disable-dyload --disable-strict \
--disable-layout --disable-samples --disable-extras --disable-icuio --disable-plugins \
CPPFLAGS=-DU_USE_STRTOD_L=0

91
projects/dlplibs/icu4c-ubsan.patch Normal file
View File

@ -0,0 +1,91 @@
diff -ur icu.org/source/common/rbbidata.h icu/source/common/rbbidata.h
--- icu.org/source/common/rbbidata.h 2017-02-03 19:57:23.000000000 +0100
+++ icu/source/common/rbbidata.h 2017-04-21 22:46:25.371651160 +0200
@@ -115,7 +115,7 @@
/* StatusTable of the set of matching */
/* tags (rule status values) */
int16_t fReserved;
- uint16_t fNextState[2]; /* Next State, indexed by char category. */
+ uint16_t fNextState[1]; /* Next State, indexed by char category. */
/* This array does not have two elements */
/* Array Size is actually fData->fHeader->fCatCount */
/* CAUTION: see RBBITableBuilder::getTableSize() */
@@ -128,7 +128,7 @@
uint32_t fRowLen; /* Length of a state table row, in bytes. */
uint32_t fFlags; /* Option Flags for this state table */
uint32_t fReserved; /* reserved */
- char fTableData[4]; /* First RBBIStateTableRow begins here. */
+ char fTableData[1]; /* First RBBIStateTableRow begins here. */
/* (making it char[] simplifies ugly address */
/* arithmetic for indexing variable length rows.) */
};
diff -ur icu.org/source/common/rbbitblb.cpp icu/source/common/rbbitblb.cpp
--- icu.org/source/common/rbbitblb.cpp 2017-01-20 01:20:31.000000000 +0100
+++ icu/source/common/rbbitblb.cpp 2017-04-21 22:46:25.373651159 +0200
@@ -1095,15 +1095,15 @@
return 0;
}
- size = sizeof(RBBIStateTable) - 4; // The header, with no rows to the table.
+ size = offsetof(RBBIStateTable, fTableData); // The header, with no rows to the table.
numRows = fDStates->size();
numCols = fRB->fSetBuilder->getNumCharCategories();
- // Note The declaration of RBBIStateTableRow is for a table of two columns.
- // Therefore we subtract two from numCols when determining
+ // Note The declaration of RBBIStateTableRow is for a table of one columns.
+ // Therefore we subtract one from numCols when determining
// how much storage to add to a row for the total columns.
- rowSize = sizeof(RBBIStateTableRow) + sizeof(uint16_t)*(numCols-2);
+ rowSize = sizeof(RBBIStateTableRow) + sizeof(uint16_t)*(numCols-1);
size += numRows * rowSize;
return size;
}
@@ -1133,7 +1133,7 @@
}
table->fRowLen = sizeof(RBBIStateTableRow) +
- sizeof(uint16_t) * (fRB->fSetBuilder->getNumCharCategories() - 2);
+ sizeof(uint16_t) * (fRB->fSetBuilder->getNumCharCategories() - 1);
table->fNumStates = fDStates->size();
table->fFlags = 0;
if (fRB->fLookAheadHardBreak) {
diff -ur icu.org/source/common/ubidiimp.h icu/source/common/ubidiimp.h
--- icu.org/source/common/ubidiimp.h 2017-02-03 19:57:23.000000000 +0100
+++ icu/source/common/ubidiimp.h 2017-04-21 22:46:25.374651159 +0200
@@ -198,8 +198,8 @@
/* in a Run, logicalStart will get this bit set if the run level is odd */
#define INDEX_ODD_BIT (1UL<<31)
-#define MAKE_INDEX_ODD_PAIR(index, level) ((index)|((int32_t)(level)<<31))
-#define ADD_ODD_BIT_FROM_LEVEL(x, level) ((x)|=((int32_t)(level)<<31))
+#define MAKE_INDEX_ODD_PAIR(index, level) ((index)|((uint32_t)(level)<<31))
+#define ADD_ODD_BIT_FROM_LEVEL(x, level) ((x)|=((uint32_t)(level)<<31))
#define REMOVE_ODD_BIT(x) ((x)&=~INDEX_ODD_BIT)
#define GET_INDEX(x) ((x)&~INDEX_ODD_BIT)
diff -ur icu.org/source/common/ucmndata.cpp icu/source/common/ucmndata.cpp
--- icu.org/source/common/ucmndata.cpp 2017-03-08 16:34:47.000000000 +0100
+++ icu/source/common/ucmndata.cpp 2017-04-21 22:46:25.376651159 +0200
@@ -77,7 +77,7 @@
typedef struct {
uint32_t count;
uint32_t reserved;
- PointerTOCEntry entry[2]; /* Actual size is from count. */
+ PointerTOCEntry entry[1]; /* Actual size is from count. */
} PointerTOC;
diff -ur icu.org/source/common/ucmndata.h icu/source/common/ucmndata.h
--- icu.org/source/common/ucmndata.h 2017-01-20 01:20:31.000000000 +0100
+++ icu/source/common/ucmndata.h 2017-04-21 22:46:25.377651159 +0200
@@ -52,7 +52,7 @@
typedef struct {
uint32_t count;
- UDataOffsetTOCEntry entry[2]; /* Actual size of array is from count. */
+ UDataOffsetTOCEntry entry[1]; /* Actual size of array is from count. */
} UDataOffsetTOC;
/**

28
projects/dlplibs/ofz3670.patch Normal file
View File

@ -0,0 +1,28 @@
From b0537ec9a7047d55d365a64e9ec9559cf1f28792 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Mon, 13 Nov 2017 16:56:23 +0100
Subject: [PATCH] avoid target buffer overflow
---
icu4c/source/common/ucnv_u8.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/icu4c/source/common/ucnv_u8.cpp b/icu4c/source/common/ucnv_u8.cpp
index 951988ed9..caaf18ae3 100644
--- a/icu4c/source/common/ucnv_u8.cpp
+++ b/icu4c/source/common/ucnv_u8.cpp
@@ -770,6 +770,11 @@ ucnv_UTF8FromUTF8(UConverterFromUnicodeArgs *pFromUArgs,
oldToULength=0;
toULength=1;
toULimit=U8_COUNT_BYTES_NON_ASCII(b);
+ if (toULimit > (const uint8_t *)pFromUArgs->targetLimit - target)
+ {
+ *pErrorCode = U_BUFFER_OVERFLOW_ERROR;
+ break;
+ }
c=b;
moreBytes:
while(toULength<toULimit) {
--
2.14.1