ICU-23443 Fix heap under-allocation and missing OOM check in VTimeZone/IZRule C wrappers#4050
Open
UnLucky252 wants to merge 1 commit into
Open
ICU-23443 Fix heap under-allocation and missing OOM check in VTimeZone/IZRule C wrappers#4050UnLucky252 wants to merge 1 commit into
UnLucky252 wants to merge 1 commit into
Conversation
…e/IZRule C wrappers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linked Jira issue
ICU-23443
Summary
Four C wrapper functions in
icu4c/source/i18n/vzone.cppandicu4c/source/i18n/zrule.cppallocated their outputchar16_t*buffer with
uprv_malloc(length)instead ofuprv_malloc(length * sizeof(char16_t)), and then copiedlengthbytes instead oflength * sizeof(char16_t)bytes —so the returned buffer was half the size implied by the
returned length. They also did not check the malloc result
for nullptr before
memcpy.Affected functions:
vzone_writevzone_writeFromStartvzone_writeSimpleizrule_getNameCause
UnicodeString::length()returns the number of UTF-16 code units;each unit is
sizeof(char16_t) == 2bytes. The malloc/memcpy usedthat count as a byte count. On OOM
uprv_mallocreturns nullptr andthe subsequent
memcpyis undefined behavior.Fix
length * sizeof(char16_t)bytes.status = U_MEMORY_ALLOCATION_ERROR(where aUErrorCode¶meter is available) and reset the out-parameters.
vzone_*functions also bail out early when the innerVTimeZone::write*call already set a failure.izrule_getNamehas noUErrorCodeparameter (changing thesignature would break ABI), so on OOM it can only signal by
setting
nameLength = 0and leavingname = nullptr.Testing
Existing tests pass (no behavior change on the success path beyond
returning the full UTF-16 buffer that callers always assumed).
No new test added — the OOM path requires allocator injection that
is not part of the standard test harness.
Notes
Found by static analysis (Svace, ISP RAS).
Checklist