current/SOURCES/icu4c-mdv-CVE-2011-4599.diff


https://bugzilla.redhat.com/show_bug.cgi?id=765812
(icu-4.2.1-9.1.el6_2.src.rpm)

--- source/common/uloc.c        2011-05-23 21:56:08.000000000 +0000
+++ source/common/uloc.c.oden   2011-12-27 10:20:29.000000000 +0000
@@ -1797,7 +1797,7 @@ _canonicalize(const char* localeID,
                 int32_t variantLen = _deleteVariant(variant, uprv_min(variantSize, (nameCapacity-len)), variantToCompare, n);
                 len -= variantLen;
                 if (variantLen > 0) {
-                    if (name[len-1] == '_') { /* delete trailing '_' */
+                    if (len > 0 && name[len-1] == '_') { /* delete trailing '_' */
                         --len;
                     }
                     addKeyword = VARIANT_MAP[j].keyword;
@@ -1805,7 +1805,7 @@ _canonicalize(const char* localeID,
                     break;
                 }
             }
-            if (name[len-1] == '_') { /* delete trailing '_' */
+            if (len > 0 && len <= nameCapacity && name[len-1] == '_') { /* delete trailing '_' */
                 --len;
             }
         }
1
2	https://bugzilla.redhat.com/show_bug.cgi?id=765812
3	(icu-4.2.1-9.1.el6_2.src.rpm)
4
5	--- source/common/uloc.c 2011-05-23 21:56:08.000000000 +0000
6	+++ source/common/uloc.c.oden 2011-12-27 10:20:29.000000000 +0000
7	@@ -1797,7 +1797,7 @@ _canonicalize(const char* localeID,
8	int32_t variantLen = _deleteVariant(variant, uprv_min(variantSize, (nameCapacity-len)), variantToCompare, n);
9	len -= variantLen;
10	if (variantLen > 0) {
11	- if (name[len-1] == '_') { /* delete trailing '_' */
12	+ if (len > 0 && name[len-1] == '_') { /* delete trailing '_' */
13	--len;
14	}
15	addKeyword = VARIANT_MAP[j].keyword;
16	@@ -1805,7 +1805,7 @@ _canonicalize(const char* localeID,
17	break;
18	}
19	}
20	- if (name[len-1] == '_') { /* delete trailing '_' */
21	+ if (len > 0 && len <= nameCapacity && name[len-1] == '_') { /* delete trailing '_' */
22	--len;
23	}
24	}