new file mode 100644
@@ -0,0 +1,63 @@
+CVE: CVE-2018-18928
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 53d8c8f3d181d87a6aa925b449b51c4a2c922a51 Mon Sep 17 00:00:00 2001
+From: Shane Carr <shane@unicode.org>
+Date: Mon, 29 Oct 2018 23:52:44 -0700
+Subject: [PATCH] ICU-20246 Fixing another integer overflow in number parsing.
+
+---
+ i18n/fmtable.cpp | 2 +-
+ i18n/number_decimalquantity.cpp | 5 ++++-
+ test/intltest/numfmtst.cpp | 8 ++++++++
+ 6 files changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/i18n/fmtable.cpp b/i18n/fmtable.cpp
+index 45c7024fc29..8601d95f4a6 100644
+--- a/i18n/fmtable.cpp
++++ b/i18n/fmtable.cpp
+@@ -734,7 +734,7 @@ CharString *Formattable::internalGetCharString(UErrorCode &status) {
+ // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?).
+ if (fDecimalQuantity->isZero()) {
+ fDecimalStr->append("0", -1, status);
+- } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) {
++ } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) {
+ fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status);
+ } else {
+ fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status);
+diff --git a/i18n/number_decimalquantity.cpp b/i18n/number_decimalquantity.cpp
+index 47b930a564b..d5dd7ae694c 100644
+--- a/i18n/number_decimalquantity.cpp
++++ b/i18n/number_decimalquantity.cpp
+@@ -898,7 +898,10 @@ UnicodeString DecimalQuantity::toScientificString() const {
+ }
+ result.append(u'E');
+ int32_t _scale = upperPos + scale;
+- if (_scale < 0) {
++ if (_scale == INT32_MIN) {
++ result.append({u"-2147483648", -1});
++ return result;
++ } else if (_scale < 0) {
+ _scale *= -1;
+ result.append(u'-');
+ } else {
+diff --git a/test/intltest/numfmtst.cpp b/test/intltest/numfmtst.cpp
+index 34355939113..8d52dc122bf 100644
+--- a/test/intltest/numfmtst.cpp
++++ b/test/intltest/numfmtst.cpp
+@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_ScientificIntegerOverflow() {
+ assertEquals(u"Should not overflow and should parse only the first exponent",
+ u"1E-2147483647",
+ {sp.data(), sp.length(), US_INV});
++
++ // Test edge case overflow of exponent
++ result = Formattable();
++ nf->parse(u".0003e-2147483644", result, status);
++ sp = result.getDecimalNumber(status);
++ assertEquals(u"Should not overflow",
++ u"3E-2147483648",
++ {sp.data(), sp.length(), US_INV});
+ }
+
+ void NumberFormatTest::Test13840_ParseLongStringCrash() {
@@ -17,6 +17,7 @@ SRC_URI = "${BASE_SRC_URI} \
file://icu-pkgdata-large-cmd.patch \
file://fix-install-manx.patch \
file://0002-Add-ARC-support.patch \
+ file://CVE-2018-18928.patch \
"
SRC_URI_append_class-target = "\
Signed-off-by: Ross Burton <ross.burton@intel.com> --- meta/recipes-support/icu/icu/CVE-2018-18928.patch | 63 +++++++++++++++++++++++ meta/recipes-support/icu/icu_63.1.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-support/icu/icu/CVE-2018-18928.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core