Skip to content

Commit 3bde8aa

Browse files
KudoKudo
committed
Fix ucal_getCanonicalTimeZoneID crash to access invalid buffer
Summary: If Android system locale string length is less than 32, in this case `bufferLength` is 32 that will cause `ucal_getCanonicalTimeZoneID` to access invalid buffer.
1 parent d4d27de commit 3bde8aa

File tree

1 file changed

+9
-10
lines changed

1 file changed

+9
-10
lines changed

patches/jsc_intl_timezone.patch

Lines changed: 9 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,14 @@
1-
diff -aur target-org/webkit/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp target/webkit/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp
2-
--- target-org/webkit/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp 2019-01-28 09:56:29.000000000 +0800
3-
+++ target/webkit/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp 2019-09-06 02:00:12.000000000 +0800
4-
@@ -40,6 +40,8 @@
1+
--- download/webkit/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp 2019-08-28 06:14:52.000000000 +0800
2+
+++ target/webkit/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp 2019-12-19 11:44:16.000000000 +0800
3+
@@ -40,6 +40,7 @@
54
#include <unicode/udatpg.h>
65
#include <unicode/uenum.h>
76
#include <wtf/text/StringBuilder.h>
87
+#include <sys/system_properties.h>
9-
+#include <wtf/unicode/UTF8Conversion.h>
108

119
#if JSC_ICU_HAS_UFIELDPOSITER
1210
#include <unicode/ufieldpositer.h>
13-
@@ -121,14 +123,34 @@
11+
@@ -121,14 +123,35 @@
1412
// 6.4.3 DefaultTimeZone () (ECMA-402 2.0)
1513
// The DefaultTimeZone abstract operation returns a String value representing the valid (6.4.1) and canonicalized (6.4.2) time zone name for the host environment’s current time zone.
1614

@@ -28,11 +26,12 @@ diff -aur target-org/webkit/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp
2826
+ char systemPropBuffer[2 * (PROP_VALUE_MAX + 1)] = {0};
2927
+ if (__system_property_get("persist.sys.timezone", systemPropBuffer) != 0) {
3028
+ size_t systemPropLength = strlen(systemPropBuffer);
31-
+ if (systemPropLength > buffer.capacity()) {
32-
+ buffer.grow(strlen(systemPropBuffer));
29+
+ bufferLength = systemPropLength;
30+
+ if (bufferLength > buffer.capacity()) {
31+
+ buffer.grow(bufferLength);
3332
+ }
34-
+ UChar* bufferStart = buffer.data();
35-
+ if (WTF::Unicode::convertUTF8ToUTF16(systemPropBuffer, systemPropBuffer + systemPropLength, &bufferStart, bufferStart + buffer.capacity())) {
33+
+
34+
+ if (u_uastrncpy(buffer.data(), systemPropBuffer, buffer.capacity())) {
3635
+ status = U_ZERO_ERROR;
3736
+ }
3837
}

0 commit comments

Comments
 (0)