Fix use-after-free race in TransliteratorAlias compoundFilter

hirorogo · Squash Bot · commit b8391c62d31f · 2026-03-27T14:20:25.000Z
See #3913
diff --git a/icu4c/source/i18n/transreg.cpp b/icu4c/source/i18n/transreg.cpp
@@ -86,7 +86,7 @@ TransliteratorAlias::TransliteratorAlias(const UnicodeString& theAliasID,
     ID(),
     aliasesOrRules(theAliasID),
     transes(nullptr),
-    compoundFilter(cpdFilter),
+    compoundFilter(cpdFilter ? cpdFilter->clone() : nullptr),
     direction(UTRANS_FORWARD),
     type(TransliteratorAlias::SIMPLE) {
 }
@@ -98,7 +98,7 @@ TransliteratorAlias::TransliteratorAlias(const UnicodeString& theID,
     ID(theID),
     aliasesOrRules(idBlocks),
     transes(adoptedTransliterators),
-    compoundFilter(cpdFilter),
+    compoundFilter(cpdFilter ? cpdFilter->clone() : nullptr),
     direction(UTRANS_FORWARD),
     type(TransliteratorAlias::COMPOUND) {
 }
@@ -116,6 +116,7 @@ TransliteratorAlias::TransliteratorAlias(const UnicodeString& theID,
 
 TransliteratorAlias::~TransliteratorAlias() {
     delete transes;
+    delete compoundFilter;
 }
 
 
@@ -132,7 +133,7 @@ Transliterator* TransliteratorAlias::create(UParseError& pe,
             return nullptr;
         }
         if (compoundFilter != nullptr)
-            t->adoptFilter(compoundFilter->clone());
+            t->adoptFilter(static_cast<UnicodeSet*>(compoundFilter->clone()));
         break;
     case COMPOUND:
         {
diff --git a/icu4c/source/i18n/transreg.h b/icu4c/source/i18n/transreg.h
@@ -105,14 +105,14 @@ class TransliteratorAlias : public UMemory {
     //    Here ID is the ID, aliasID is the idBlock, trans is the
     //    contained RBT, and idSplitPoint is the offset in aliasID
     //    where the contained RBT goes.  compoundFilter is the
-    //    compound filter, and it is _not_ owned.
+    //    compound filter, and it is owned (cloned from entry).
     // 3. Rules
     //    Here ID is the ID, aliasID is the rules string.
     //    idSplitPoint is the UTransDirection.
     UnicodeString ID;
     UnicodeString aliasesOrRules;
     UVector* transes; // owned
-    const UnicodeSet* compoundFilter; // alias
+    UnicodeSet* compoundFilter; // owned
     UTransDirection direction;
     enum { SIMPLE, COMPOUND, RULES } type;
 

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ TransliteratorAlias::TransliteratorAlias(const UnicodeString& theAliasID,`
`86`	`86`	`ID(),`
`87`	`87`	`aliasesOrRules(theAliasID),`
`88`	`88`	`transes(nullptr),`
`89`		`- compoundFilter(cpdFilter),`
	`89`	`+ compoundFilter(cpdFilter ? cpdFilter->clone() : nullptr),`
`90`	`90`	`direction(UTRANS_FORWARD),`
`91`	`91`	`type(TransliteratorAlias::SIMPLE) {`
`92`	`92`	`}`
`@@ -98,7 +98,7 @@ TransliteratorAlias::TransliteratorAlias(const UnicodeString& theID,`
`98`	`98`	`ID(theID),`
`99`	`99`	`aliasesOrRules(idBlocks),`
`100`	`100`	`transes(adoptedTransliterators),`
`101`		`- compoundFilter(cpdFilter),`
	`101`	`+ compoundFilter(cpdFilter ? cpdFilter->clone() : nullptr),`
`102`	`102`	`direction(UTRANS_FORWARD),`
`103`	`103`	`type(TransliteratorAlias::COMPOUND) {`
`104`	`104`	`}`
`@@ -116,6 +116,7 @@ TransliteratorAlias::TransliteratorAlias(const UnicodeString& theID,`
`116`	`116`
`117`	`117`	`TransliteratorAlias::~TransliteratorAlias() {`
`118`	`118`	`delete transes;`
	`119`	`+ delete compoundFilter;`
`119`	`120`	`}`
`120`	`121`
`121`	`122`
`@@ -132,7 +133,7 @@ Transliterator* TransliteratorAlias::create(UParseError& pe,`
`132`	`133`	`return nullptr;`
`133`	`134`	`}`
`134`	`135`	`if (compoundFilter != nullptr)`
`135`		`- t->adoptFilter(compoundFilter->clone());`
	`136`	`+ t->adoptFilter(static_cast<UnicodeSet*>(compoundFilter->clone()));`
`136`	`137`	`break;`
`137`	`138`	`case COMPOUND:`
`138`	`139`	`{`