Fuzzer-detected Null-dereference READ in icu_67::DataBuilderCollationIterator::getCE32FromBuilderData

Description

Top part of stack trace:
Crash State:

Crash Type: Null-dereference READ

See detailed report: https://oss-fuzz.com/testcase?key=5654471674953728

Activity

Show:
Frank Yung-Fong Tang
July 24, 2020, 5:26 PM
Frank Yung-Fong Tang
July 30, 2020, 5:23 AM

How to reproduce this bug.

Make sure your icu source sync after the landing of OR patch it into your icu source.

  1. down load the test case file (click on the fie under the “Attachements“) and save as TESTFILE

  2. in icu source directory

  3. run
    CXXFLAGS="-fsanitize=address" CFLAGS="-fsanitize=address" ./runConfigureICU --disable-release Linux --disable-layoutex

  4. make clean

  5. make tests

  6. cd tests/fuzzer

  7. make clean

  8. make

  9. run
    LD_LIBRARY_PATH=lib:stubdata:tools/ctestfw:../../lib:../../stubdata:../../tools/ctestfw:$LD_LIBRARY_PATH ./collator_rulebased_fuzzer $testfile

Frank Yung-Fong Tang
July 31, 2020, 11:44 PM

When this happen, cond is nullptr in source/i18n/collationdatabuilder.cpp around line 263 DataBuilderCollationIterator::getCE32FromBuilderData

ce32 is 0x2d1000f7 . Collation::indexFromCE32(ce32) return 92288 but conditionalCE32s.size() is only 598

Assignee

Markus Scherer

Reporter

Norbert Runge

Components

Labels

Reviewer

None

Priority

assess

Time Needed

Hours

Fix versions

Configure