Skip to content

cap fullStage2Length to avoid size overflow in reconstituteData#4012

Open
rootvector2 wants to merge 1 commit into
unicode-org:mainfrom
rootvector2:mbcs-reconstitute-overflow
Open

cap fullStage2Length to avoid size overflow in reconstituteData#4012
rootvector2 wants to merge 1 commit into
unicode-org:mainfrom
rootvector2:mbcs-reconstitute-overflow

Conversation

@rootvector2

@rootvector2 rootvector2 commented Jun 1, 2026

Copy link
Copy Markdown

Description

reconstituteData() in the MBCS converter loader computes
dataLength = stage1Length*2 + fullStage2Length*4 + fromUBytesLength in uint32_t.
A table with a large fullStage2Length wraps this sum to a small value, so uprv_malloc
allocates an undersized buffer that the following uprv_memcpy and stage-2 pointer
arithmetic overrun.

This adds a 64-bit overflow check that rejects the table with U_INVALID_TABLE_FORMAT,
mirroring the other malformed-table guards already in the loader (ucnv_MBCSLoad).

Found while fuzzing the converter loader with mutated .cnv table data.

Checklist

  • Required: Issue filed: ICU-NNNNN
  • Required: The PR title must be prefixed with a JIRA Issue number. Example: "ICU-NNNNN Fix xyz"
  • Required: Each commit message must be prefixed with a JIRA Issue number. Example: "ICU-NNNNN Fix xyz"
  • Issue accepted (done by Technical Committee after discussion)
  • Tests included, if applicable
  • API docs and/or User Guide docs changed or added, if applicable
  • Approver: Feel free to merge on my behalf

@markusicu

Copy link
Copy Markdown
Member
  • Please restore and fill out the pull request template.
  • Please create a Jira ticket with the problem description.
  • This appears to be guarding against bad input binary data, which is hard to do comprehensively and not a goal. I will take a look at the context.

@markusicu markusicu self-assigned this Jun 11, 2026
@rootvector2

Copy link
Copy Markdown
Author

Restored and filled out the template in the description.

I don't have a Jira account to file the ticket. Can you open one for this overflow, or point me at an umbrella issue to reuse? I'll prefix the title and commit with the number once it exists.

On scope: this isn't comprehensive input validation, just the single uint32_t sum in reconstituteData that wraps. ucnv_MBCSLoad already rejects malformed tables with U_INVALID_TABLE_FORMAT in several spots, so this matches those. Found it fuzzing the loader with mutated .cnv data, and I'm fine to drop it if you'd rather not guard there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants