strcpy buffer overrun when legacy tag passed in with tagLen and not null terminated in ultag_parse
General
Other Data
General
Other Data
Description
This is found by a google internal fuzzer, for a null read in ulocimp_forLanguageTag (or icu::Locale::forLanguageTag and icu::LocaleBuilder::setLanguageTag )
It happen with a legacy locale id language tag with long extension and passed in w/o null termination but with tagLen. the strcpy is not safe because it will copy the memory after tagLen and overrun the memory for extlang array.
uprv_strcpy(t->buf + replacementLen, tag + checkLegacyLen); + uprv_strncpy(t->buf + replacementLen, tag + checkLegacyLen, tagLen - checkLegacyLen); } break; } ``` Will work on a PR w/ unit test for review soon. ```
the real fix is longer than what I put above after some more testing
Frank Yung-Fong Tang
July 13, 2021 at 8:39 PM
test case locale
calling
icu::Locale::forLanguageTag with
“i-enochian-1nochian-129-515VNTR-64863775-X3il6-110Y101-29-515VNTR-64863775-153zu-u-Y4-H0-t6-X3-u6-110Y101-X” without null termination and with tagLen set to 82
say you have
StringPiece (“i-enochian-1nochian-129-515VNTR-64863775-X3il6-110Y101-29-515VNTR-64863775-153zu-u-Y4-H0-t6-X3-u6-110Y101-X” “AND EXTRA MEMRORY IN THE END AFTER 82”, 82) as input
This is found by a google internal fuzzer, for a null read in ulocimp_forLanguageTag (or icu::Locale::forLanguageTag and icu::LocaleBuilder::setLanguageTag )
It happen with a legacy locale id language tag with long extension and passed in w/o null termination but with tagLen. the strcpy is not safe because it will copy the memory after tagLen and overrun the memory for extlang array.
Fix is simple
```
source/common/uloc_tag.cpp 2021-07-13 13:28:37.000000000 -0700
@@ -2102,7 +2102,7 @@
parsedLenDelta = checkLegacyLen - replacementLen;
uprv_strcpy(t->buf, LEGACY[i + 1]);
if (checkLegacyLen != tagLen) {
uprv_strcpy(t->buf + replacementLen, tag + checkLegacyLen);
+ uprv_strncpy(t->buf + replacementLen, tag + checkLegacyLen, tagLen - checkLegacyLen);
}
break;
}
```
Will work on a PR w/ unit test for review soon.
```