Skip to content

Commit

Permalink
ICU-22768 Fix bidi buffer overflow
Browse files Browse the repository at this point in the history
Consider doWriteForward may return 0 if src only contains bidi control chars.
  • Loading branch information
FrankYFTang committed May 29, 2024
1 parent 699fb1d commit 821b8ae
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 3 deletions.
10 changes: 8 additions & 2 deletions icu4c/source/common/ubidiwrt.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -501,7 +501,10 @@ ubidi_writeReordered(UBiDi *pBiDi,
destSize-=runLength;

if((pBiDi->isInverse) &&
(/*run<runCount-1 &&*/ dirProps[logicalStart+runLength-1]!=L)) {
(/*run<runCount-1 &&*/
runLength > 0 && // doWriteForward may return 0 if src
// only include bidi control chars
dirProps[logicalStart+runLength-1]!=L)) {
markFlag |= LRM_AFTER;
}
if (markFlag & LRM_AFTER) {
Expand Down Expand Up @@ -632,7 +635,10 @@ ubidi_writeReordered(UBiDi *pBiDi,
}
destSize-=runLength;

if(/*run>0 &&*/ !(MASK_R_AL&DIRPROP_FLAG(dirProps[logicalStart+runLength-1]))) {
if(/*run>0 &&*/
runLength > 0 && // doWriteForward may return 0 if src
// only include bidi control chars
!(MASK_R_AL&DIRPROP_FLAG(dirProps[logicalStart+runLength-1]))) {
if(destSize>0) {
*dest++=RLM_CHAR;
}
Expand Down
16 changes: 16 additions & 0 deletions icu4c/source/test/cintltst/cbiditst.c
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ static void doTailTest(void);

static void testBracketOverflow(void);
static void TestExplicitLevel0(void);
static void testUBidiWriteReorderedBufferOverflow(void);

/* new BIDI API */
static void testReorderingMode(void);
Expand Down Expand Up @@ -141,6 +142,7 @@ addComplexTest(TestNode** root) {
addTest(root, testContext, "complex/bidi/testContext");
addTest(root, testBracketOverflow, "complex/bidi/TestBracketOverflow");
addTest(root, TestExplicitLevel0, "complex/bidi/TestExplicitLevel0");
addTest(root, testUBidiWriteReorderedBufferOverflow, "complex/bidi/writeReorderedBufferOverflow");

addTest(root, doArabicShapingTest, "complex/arabic-shaping/ArabicShapingTest");
addTest(root, doLamAlefSpecialVLTRArabicShapingTest, "complex/arabic-shaping/lamalef");
Expand Down Expand Up @@ -4939,6 +4941,20 @@ testBracketOverflow(void) {
ubidi_close(bidi);
}

/* ICU-22768 */
static void
testUBidiWriteReorderedBufferOverflow (void) {
UErrorCode status = U_ZERO_ERROR;
UBiDi* bidi;
bidi = ubidi_open();
ubidi_setInverse(bidi, true);
static const UChar text[1] = { 0x2067 };
ubidi_setPara(bidi, text, 1, UBIDI_DEFAULT_RTL, NULL, &status);
UChar dest[MAXLEN];
ubidi_writeReordered(bidi, dest, MAXLEN, 0x20ff, &status);
ubidi_close(bidi);
}

static void TestExplicitLevel0(void) {
// The following used to fail with an error, see ICU ticket #12922.
static const UChar text[2] = { 0x202d, 0x05d0 };
Expand Down
2 changes: 1 addition & 1 deletion icu4c/source/test/fuzzer/ubidi_fuzzer.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
checkVisual = (*(fuzzData.data()) & 0x01) == 0;
fuzzData.remove_prefix(sizeof(checkVisual));

std::memcpy(&isInverse, fuzzData.data(), sizeof(isInverse));
isInverse = (*(fuzzData.data()) & 0x01) != 0;
fuzzData.remove_prefix(sizeof(isInverse));

std::memcpy(&options2, fuzzData.data(), sizeof(options2));
Expand Down

0 comments on commit 821b8ae

Please sign in to comment.