OOM not handled in selectForMask

Description

In the helper/internal function selectForMask, called by ucnvsel_selectForString and ucnvsel_selectForUTF8 there is an unchecked malloc, which can lead a segmentation fault/crash if OOM occurs.

https://github.com/unicode-org/icu/blob/master/icu4c/source/common/ucnvsel.cpp#L722

1 2 3 4 5 6 7 8 9 10 11 12 13 14 if (numOnes > 0) { result->index = (int16_t*) uprv_malloc(numOnes * sizeof(int16_t)); int32_t i, j; int16_t k = 0; for (j = 0 ; j < columns; j++) { uint32_t v = mask[j]; for (i = 0 ; i < 32 && k < sel->encodingsCount; i++, k++) { if ((v & 1) != 0) { result->index[result->length++] = k; } v >>= 1; } }

 

The output from using a modified version of cintltst (which randomly fails to allocate) running under valgrind:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 OOM: failing to allocate 2 ==13273== Invalid write of size 2 ==13273== at 0x5B3C614: selectForMask(UConverterSelector const*, unsigned int*, UErrorCode*) (ucnvsel.cpp:730) ==13273== by 0x5B3C3C1: ucnvsel_selectForString (ucnvsel.cpp:780) ==13273== by 0x433DBE: TestSelector (ucnvseltst.c:483) ==13273== by 0x4E43D32: iterateTestsWithLevel (ctest.c:392) ==13273== by 0x4E44083: iterateTestsWithLevel (ctest.c:456) ==13273== by 0x4E44083: iterateTestsWithLevel (ctest.c:456) ==13273== by 0x4E44083: iterateTestsWithLevel (ctest.c:456) ==13273== by 0x4E44261: runTests (ctest.c:519) ==13273== by 0x4E4677B: runTestRequest (ctest.c:1235) ==13273== by 0x44C7C0: main (cintltst.c:214) ==13273== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==13273== ==13273== ==13273== Process terminating with default action of signal 11 (SIGSEGV)

 

Status

Assignee

Jeff Genovy

Reporter

Jeff Genovy

Labels

Reviewer

None

Time Needed

Hours

Start date

None

Components

Fix versions

Priority

medium