Skip to content

ICU-23394 Validate serialized spoof data in SpoofData deserialization#3962

Open
TristanInSec wants to merge 3 commits into
unicode-org:mainfrom
TristanInSec:fix-uspoof-deserialize-validation
Open

ICU-23394 Validate serialized spoof data in SpoofData deserialization#3962
TristanInSec wants to merge 3 commits into
unicode-org:mainfrom
TristanInSec:fix-uspoof-deserialize-validation

Conversation

@TristanInSec
Copy link
Copy Markdown

@TristanInSec TristanInSec commented Apr 29, 2026
edited by atlassian Bot
Loading

Bounds check all offset+size pairs in SpoofData::initPtrs(), add
cross-table consistency validation, guard against null/empty data in
confusableLookup(), and bounds check string table access in
appendValueTo(). Malformed serialized data now returns
U_INVALID_FORMAT_ERROR.

Checklist

  • Required: Issue filed: ICU-23394
  • Required: The PR title must be prefixed with a JIRA Issue number.
  • Required: Each commit message must be prefixed with a JIRA Issue number.
  • Issue accepted (done by Technical Committee after discussion)
  • Tests included, if applicable
  • API docs and/or User Guide docs changed or added, if applicable

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 29, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@TristanInSec TristanInSec force-pushed the fix-uspoof-deserialize-validation branch from 3e7e5d0 to 699de55 Compare April 30, 2026 12:12
@jira-pull-request-webhook
Copy link
Copy Markdown

jira-pull-request-webhook Bot commented Apr 30, 2026

Hooray! The files in the branch are the same across the force-push. 😃

~ Your Friendly Jira-GitHub PR Checker Bot

@TristanInSec TristanInSec force-pushed the fix-uspoof-deserialize-validation branch from 699de55 to 30fc708 Compare April 30, 2026 12:15
@jira-pull-request-webhook
Copy link
Copy Markdown

jira-pull-request-webhook Bot commented Apr 30, 2026

Hooray! The files in the branch are the same across the force-push. 😃

~ Your Friendly Jira-GitHub PR Checker Bot

@markusicu
Copy link
Copy Markdown
Member

markusicu commented Apr 30, 2026

same comments/questions as in #3961 (comment)

@markusicu markusicu added jira-needed need-tests Needs unit test code that demonstrates the bug and the fix labels Apr 30, 2026
This was referenced May 4, 2026
Open
Closed
@TristanInSec
Copy link
Copy Markdown
Author

TristanInSec commented May 4, 2026
edited by atlassian Bot
Loading

Hi @markusicu,

Addressed in my reply on #3961. This PR is tracked under ICU-23394. I'll restore the PR template and add unit tests.

@TristanInSec
ICU-23394 Add unit test for malformed serialized spoof data validation
6a5c5f5 
Test that uspoof_openFromSerialized returns U_INVALID_FORMAT_ERROR
when given crafted data with inconsistent table sizes or a truncated
header, rather than crashing with a NULL dereference or heap OOB read.
@TristanInSec TristanInSec changed the title ICU-23251 Validate serialized spoof data in SpoofData deserialization ICU-23394 Validate serialized spoof data in SpoofData deserialization May 4, 2026
@TristanInSec
ICU-23394 Java port: validate serialized spoof data in SpoofData.read…
7140835 
…Data()

Add offset+size bounds checking and cross-table consistency validation
in readData(). Guard confusableLookup() against empty/null key data.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

jira-needed need-tests Needs unit test code that demonstrates the bug and the fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TristanInSec @CLAassistant @markusicu