[PATCH 0/6][master] Fix various CVE

[PATCH 0/6][master] Fix various CVE

[Mark Hatle]

Each of the patches in this set fix various CVE items.  This is the matching
set for the dora commits sent earlier, only for master.  They all still apply.

The following changes since commit 300760193c6bcfd20f1d4908f912bebd53e86281:

  tcl: fix tclConfig.sh to point to the correct private headers (2013-12-05 16:48:17 +0000)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib mhatle/master-CVE
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=mhatle/master-CVE

Baogen Shang (2):
  libtiff: CVE-2013-4232
  libtiff: CVE-2013-4243

Li Wang (1):
  xinetd: CVE-2013-4342

Ming Liu (1):
  libtiff: fix CVE-2013-1960

Yue Tao (2):
  acpid: CVE-2011-1159
  icu: CVE-2013-2924

 meta/recipes-bsp/acpid/acpid.inc                   |   3 +-
 .../acpid/acpid/set_socket_noblock.patch           |  10 ++
 .../xinetd/xinetd/xinetd-CVE-2013-4342.patch       |  32 +++++
 meta/recipes-extended/xinetd/xinetd_2.3.15.bb      |   1 +
 .../libtiff/files/libtiff-CVE-2013-1960.patch      | 151 +++++++++++++++++++++
 .../libtiff/files/libtiff-CVE-2013-4232.patch      |  15 ++
 .../libtiff/files/libtiff-CVE-2013-4243.patch      |  40 ++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.3.bb      |   5 +-
 ...fer_length_check_to_UTF_16_or_32_detector.patch |  33 +++++
 meta/recipes-support/icu/icu_51.2.bb               |   1 +
 10 files changed, 289 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-bsp/acpid/acpid/set_socket_noblock.patch
 create mode 100644 meta/recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4232.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4243.patch
 create mode 100644 meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch

-- 
1.8.3.4

[PATCH 1/6][master] libtiff: fix CVE-2013-1960

[Mark Hatle]

From: Ming Liu <ming.liu@windriver.com>

Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf
in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a crafted TIFF image
file.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960

Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
---
 .../libtiff/files/libtiff-CVE-2013-1960.patch      | 151 +++++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.3.bb      |   3 +-
 2 files changed, 153 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch

diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
new file mode 100644
index 0000000..e4348f1
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
@@ -0,0 +1,151 @@
+This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch
+
+Upstream-Status: Pending
+
+Signed-off-by: Ming Liu <ming.liu@windriver.com>
+
+diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+--- a/tools/tiff2pdf.c	2012-07-25 22:56:43.000000000 -0400
++++ b/tools/tiff2pdf.c	2013-05-02 12:04:49.057090227 -0400
+@@ -3341,33 +3341,56 @@
+ 	uint32 height){
+ 
+ 	tsize_t i=0;
+-	uint16 ri =0;
+-	uint16 v_samp=1;
+-	uint16 h_samp=1;
+-	int j=0;
+-	
+-	i++;
+-	
+-	while(i<(*striplength)){
++
++	while (i < *striplength) {
++		tsize_t datalen;
++		uint16 ri;
++		uint16 v_samp;
++		uint16 h_samp;
++		int j;
++		int ncomp;
++
++		/* marker header: one or more FFs */
++		if (strip[i] != 0xff)
++			return(0);
++		i++;
++		while (i < *striplength && strip[i] == 0xff)
++			i++;
++		if (i >= *striplength)
++			return(0);
++		/* SOI is the only pre-SOS marker without a length word */
++		if (strip[i] == 0xd8)
++			datalen = 0;
++		else {
++			if ((*striplength - i) <= 2)
++				return(0);
++			datalen = (strip[i+1] << 8) | strip[i+2];
++			if (datalen < 2 || datalen >= (*striplength - i))
++				return(0);
++		}
+ 		switch( strip[i] ){
+-			case 0xd8:
+-				/* SOI - start of image */
++			case 0xd8:	/* SOI - start of image */
+ 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
+ 				*bufferoffset+=2;
+-				i+=2;
+ 				break;
+-			case 0xc0:
+-			case 0xc1:
+-			case 0xc3:
+-			case 0xc9:
+-			case 0xca:
++			case 0xc0:	/* SOF0 */
++			case 0xc1:	/* SOF1 */
++			case 0xc3:	/* SOF3 */
++			case 0xc9:	/* SOF9 */
++			case 0xca:	/* SOF10 */
+ 				if(no==0){
+-					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-					for(j=0;j<buffer[*bufferoffset+9];j++){
+-						if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) 
+-							h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
+-						if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) 
+-							v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
++					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++					ncomp = buffer[*bufferoffset+9];
++					if (ncomp < 1 || ncomp > 4)
++						return(0);
++					v_samp=1;
++					h_samp=1;
++					for(j=0;j<ncomp;j++){
++						uint16 samp = buffer[*bufferoffset+11+(3*j)];
++						if( (samp>>4) > h_samp) 
++							h_samp = (samp>>4);
++						if( (samp & 0x0f) > v_samp) 
++							v_samp = (samp & 0x0f);
+ 					}
+ 					v_samp*=8;
+ 					h_samp*=8;
+@@ -3381,45 +3404,43 @@
+                                           (unsigned char) ((height>>8) & 0xff);
+ 					buffer[*bufferoffset+6]=
+                                             (unsigned char) (height & 0xff);
+-					*bufferoffset+=strip[i+2]+2;
+-					i+=strip[i+2]+2;
+-
++					*bufferoffset+=datalen+2;
++					/* insert a DRI marker */
+ 					buffer[(*bufferoffset)++]=0xff;
+ 					buffer[(*bufferoffset)++]=0xdd;
+ 					buffer[(*bufferoffset)++]=0x00;
+ 					buffer[(*bufferoffset)++]=0x04;
+ 					buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
+ 					buffer[(*bufferoffset)++]= ri & 0xff;
+-				} else {
+-					i+=strip[i+2]+2;
+ 				}
+ 				break;
+-			case 0xc4:
+-			case 0xdb:
+-				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-				*bufferoffset+=strip[i+2]+2;
+-				i+=strip[i+2]+2;
++			case 0xc4: /* DHT */
++			case 0xdb: /* DQT */
++				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++				*bufferoffset+=datalen+2;
+ 				break;
+-			case 0xda:
++			case 0xda: /* SOS */
+ 				if(no==0){
+-					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-					*bufferoffset+=strip[i+2]+2;
+-					i+=strip[i+2]+2;
++					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++					*bufferoffset+=datalen+2;
+ 				} else {
+ 					buffer[(*bufferoffset)++]=0xff;
+ 					buffer[(*bufferoffset)++]=
+                                             (unsigned char)(0xd0 | ((no-1)%8));
+-					i+=strip[i+2]+2;
+ 				}
+-				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
+-				*bufferoffset+=(*striplength)-i-1;
++				i += datalen + 1;
++				/* copy remainder of strip */
++				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
++				*bufferoffset+= *striplength - i;
+ 				return(1);
+ 			default:
+-				i+=strip[i+2]+2;
++				/* ignore any other marker */
++				break;
+ 		}
++		i += datalen + 1;
+ 	}
+-	
+ 
++	/* failed to find SOS marker */
+ 	return(0);
+ }
+ #endif
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index c90b4b2..def408e 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -5,7 +5,8 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/"
 DEPENDS = "zlib jpeg xz"
 
 SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
-           file://libtool2.patch"
+           file://libtool2.patch \
+           file://libtiff-CVE-2013-1960.patch"
 
 SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
 SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
-- 
1.8.3.4

[PATCH 2/6][master] libtiff: CVE-2013-4232

[Mark Hatle]

From: Baogen Shang <baogen.shang@windriver.com>

cve description:
Use-after-free vulnerability in the t2p_readwrite_pdf_image function
in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause
a denial of service (crash) or possible execute arbitrary code via a
crafted TIFF image.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4232

Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 .../libtiff/files/libtiff-CVE-2013-4232.patch             | 15 +++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.3.bb             |  3 ++-
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4232.patch

diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4232.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4232.patch
new file mode 100644
index 0000000..9ebf8f9a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4232.patch
@@ -0,0 +1,15 @@
+This patch comes from: http://bugzilla.maptools.org/attachment.cgi?id=513&action=diff 
+
+Upstream-Status: Pending
+
+Signed-off-by: Baogen shang <baogen.shang@windriver.com>
+--- a/tools/tiff2pdf.c	2013-10-21 10:36:38.214170346 +0800
++++ b/tools/tiff2pdf.c	2013-10-21 10:38:58.246170329 +0800
+@@ -2387,6 +2387,7 @@
+ 					TIFFFileName(input));
+ 				t2p->t2p_error = T2P_ERR_ERROR;
+ 			  _TIFFfree(buffer);
++			  return(0);
+ 			} else {
+ 				buffer=samplebuffer;
+ 				t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index def408e..2d38c68 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz"
 
 SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
            file://libtool2.patch \
-           file://libtiff-CVE-2013-1960.patch"
+           file://libtiff-CVE-2013-1960.patch \
+           file://libtiff-CVE-2013-4232.patch"
 
 SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
 SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
-- 
1.8.3.4

[PATCH 3/6][master] libtiff: CVE-2013-4243

[Mark Hatle]

From: Baogen Shang <baogen.shang@windriver.com>

cve description:
Heap-based buffer overflow in the readgifimage function in the gif2tiff
tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a crafted height
and width values in a GIF image.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4243

Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 .../libtiff/files/libtiff-CVE-2013-4243.patch      | 40 ++++++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.3.bb      |  3 +-
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4243.patch

diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4243.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4243.patch
new file mode 100644
index 0000000..642a117
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4243.patch
@@ -0,0 +1,40 @@
+This patch comes from: http://bugzilla.maptools.org/attachment.cgi?id=518&action=diff#tools/gif2tiff.c_sec2
+
+Upstream-Status: Pending
+
+Signed-off-by: Baogen shang <baogen.shang@windriver.com>
+--- a/tools/gif2tiff.c	2013-10-14 17:08:43.966239709 +0800
++++ b/tools/gif2tiff.c	2013-10-14 17:18:22.994239638 +0800
+@@ -280,6 +280,10 @@
+         fprintf(stderr, "no colormap present for image\n");
+         return (0);
+     }
++    if (width == 0 || height == 0) {
++        fprintf(stderr, "Invalid value of width or height\n");
++        return(0);
++    }
+     if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+         fprintf(stderr, "not enough memory for image\n");
+         return (0);
+@@ -397,6 +401,10 @@
+ 	return 1;
+     }
+ 
++    if (*fill >= raster + width*height) {
++        fprintf(stderr, "raster full before eoi code\n");
++        return 0;
++    }
+     if (oldcode == -1) {
+ 	*(*fill)++ = suffix[code];
+ 	firstchar = oldcode = code;
+@@ -428,6 +436,10 @@
+     }
+     oldcode = incode;
+     do {
++    if (*fill >= raster + width*height) {
++        fprintf(stderr, "raster full before eoi code\n");
++        return 0;
++    }
+ 	*(*fill)++ = *--stackp;
+     } while (stackp > stack);
+     return 1;
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index 2d38c68..d918b5a 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -7,7 +7,8 @@ DEPENDS = "zlib jpeg xz"
 SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
            file://libtool2.patch \
            file://libtiff-CVE-2013-1960.patch \
-           file://libtiff-CVE-2013-4232.patch"
+           file://libtiff-CVE-2013-4232.patch \
+           file://libtiff-CVE-2013-4243.patch"
 
 SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
 SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
-- 
1.8.3.4

[PATCH 4/6][master] xinetd: CVE-2013-4342

[Mark Hatle]

From: Li Wang <li.wang@windriver.com>

xinetd does not enforce the user and group configuration directives
for TCPMUX services, which causes these services to be run as root
and makes it easier for remote attackers to gain privileges by
leveraging another vulnerability in a service.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4342

the patch come from:
https://bugzilla.redhat.com/attachment.cgi?id=799732&action=diff

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 .../xinetd/xinetd/xinetd-CVE-2013-4342.patch       | 32 ++++++++++++++++++++++
 meta/recipes-extended/xinetd/xinetd_2.3.15.bb      |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta/recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch

diff --git a/meta/recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch b/meta/recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch
new file mode 100644
index 0000000..0542dbe
--- /dev/null
+++ b/meta/recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch
@@ -0,0 +1,32 @@
+xinetd: CVE-2013-4342
+
+xinetd does not enforce the user and group configuration directives
+for TCPMUX services, which causes these services to be run as root
+and makes it easier for remote attackers to gain privileges by
+leveraging another vulnerability in a service.
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4342
+
+the patch come from:
+https://bugzilla.redhat.com/attachment.cgi?id=799732&action=diff
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ xinetd/builtins.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xinetd/builtins.c b/xinetd/builtins.c
+index 3b85579..34a5bac 100644
+--- a/xinetd/builtins.c
++++ b/xinetd/builtins.c
+@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp )
+    if( SC_IS_INTERNAL( scp ) ) {
+       SC_INTERNAL(scp, nserp);
+    } else {
+-      exec_server(nserp);
++      child_process(nserp);
+    }
+ }
+ 
+-- 
+1.7.9.5
+
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.bb
index 7976570..0e28172 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://www.xinetd.org/xinetd-${PV}.tar.gz \
       file://Various-fixes-from-the-previous-maintainer.patch \
       file://Disable-services-from-inetd.conf-if-a-service-with-t.patch \
       file://xinetd-should-be-able-to-listen-on-IPv6-even-in-ine.patch \
+      file://xinetd-CVE-2013-4342.patch \
       "
 
 SRC_URI[md5sum] = "77358478fd58efa6366accae99b8b04c"
-- 
1.8.3.4

[PATCH 5/6][master] acpid: CVE-2011-1159

[Mark Hatle]

From: Yue Tao <yue.tao@windriver.com>

acpid.c in acpid before 2.0.9 does not properly handle a situation in which
a process has connected to acpid.socket but is not reading any data, which
allows local users to cause a denial of service (daemon hang) via a crafted
application that performs a connect system call but no read system calls.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1159

Signed-off-by: Yue Tao <yue.tao@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 meta/recipes-bsp/acpid/acpid.inc                      |  3 ++-
 meta/recipes-bsp/acpid/acpid/set_socket_noblock.patch | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-bsp/acpid/acpid/set_socket_noblock.patch

diff --git a/meta/recipes-bsp/acpid/acpid.inc b/meta/recipes-bsp/acpid/acpid.inc
index 40293c5..a384265 100644
--- a/meta/recipes-bsp/acpid/acpid.inc
+++ b/meta/recipes-bsp/acpid/acpid.inc
@@ -6,7 +6,8 @@ LICENSE="GPLv2+"
 
 SECTION = "base"
 SRC_URI = "${SOURCEFORGE_MIRROR}/acpid/acpid-${PV}.tar.gz \
-           file://init"
+           file://init \
+           file://set_socket_noblock.patch "
 
 inherit update-rc.d
 
diff --git a/meta/recipes-bsp/acpid/acpid/set_socket_noblock.patch b/meta/recipes-bsp/acpid/acpid/set_socket_noblock.patch
new file mode 100644
index 0000000..54d6435
--- /dev/null
+++ b/meta/recipes-bsp/acpid/acpid/set_socket_noblock.patch
@@ -0,0 +1,10 @@
+--- a/acpid.c
++++ b/acpid.c
+@@ -307,6 +307,7 @@ main(int argc, char **argv)
+ 				non_root_clients++;
+ 			}
+ 			fcntl(cli_fd, F_SETFD, FD_CLOEXEC);
++			fcntl(cli_fd, F_SETFL, O_NONBLOCK);
+ 			snprintf(buf, sizeof(buf)-1, "%d[%d:%d]",
+ 				creds.pid, creds.uid, creds.gid);
+ 			acpid_add_client(cli_fd, buf);
-- 
1.8.3.4

[PATCH 6/6][master] icu: CVE-2013-2924

[Mark Hatle]

From: Yue Tao <Yue.Tao@windriver.com>

Use-after-free vulnerability in International Components for Unicode (ICU),
as used in Google Chrome before 30.0.1599.66 and other products, allows
remote attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2924

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 ...fer_length_check_to_UTF_16_or_32_detector.patch | 33 ++++++++++++++++++++++
 meta/recipes-support/icu/icu_51.2.bb               |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch

diff --git a/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch b/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch
new file mode 100644
index 0000000..ad4d61c
--- /dev/null
+++ b/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch
@@ -0,0 +1,33 @@
+--- source/i18n/csrucode.cpp
++++ source/i18n/csrucode.cpp
+@@ -33,8 +33,9 @@ UBool CharsetRecog_UTF_16_BE::match(Inpu
+ {
+     const uint8_t *input = textIn->fRawInput;
+     int32_t confidence = 0;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFE && input[1] == 0xFF) {
++    if (length >=2 && input[0] == 0xFE && input[1] == 0xFF) {
+         confidence = 100;
+     }
+ 
+@@ -57,8 +58,9 @@ UBool CharsetRecog_UTF_16_LE::match(Inpu
+ {
+     const uint8_t *input = textIn->fRawInput;
+     int32_t confidence = 0;
++    int32_t length = textIn->fRawLength;
+ 
+-    if (input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
++    if (length >= 4 && input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
+         confidence = 100;
+     }
+ 
+@@ -81,7 +83,7 @@ UBool CharsetRecog_UTF_32::match(InputTe
+     bool hasBOM = FALSE;
+     int32_t confidence = 0;
+ 
+-    if (getChar(input, 0) == 0x0000FEFFUL) {
++    if (limit > 0 && getChar(input, 0) == 0x0000FEFFUL) {
+         hasBOM = TRUE;
+     }
+ 
diff --git a/meta/recipes-support/icu/icu_51.2.bb b/meta/recipes-support/icu/icu_51.2.bb
index aca3ea5..aabe07b 100644
--- a/meta/recipes-support/icu/icu_51.2.bb
+++ b/meta/recipes-support/icu/icu_51.2.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://../license.html;md5=443a74288a72fad9069a74e7637192c1"
 BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-51_2-src.tgz"
 SRC_URI = "${BASE_SRC_URI} \
            file://icu-pkgdata-large-cmd.patch \
+           file://add_buffer_length_check_to_UTF_16_or_32_detector.patch \
           "
 
 SRC_URI[md5sum] = "072e501b87065f3a0ca888f1b5165709"
-- 
1.8.3.4