Skip to content

ICU-23450 Fix undefined shift and buffer overflow in ubidi_writeReordered#4060

Open
FrankYFTang wants to merge 1 commit into
unicode-org:mainfrom
FrankYFTang:fix-icu-23450
Open

ICU-23450 Fix undefined shift and buffer overflow in ubidi_writeReordered#4060
FrankYFTang wants to merge 1 commit into
unicode-org:mainfrom
FrankYFTang:fix-icu-23450

Conversation

@FrankYFTang

@FrankYFTang FrankYFTang commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

In ubidi_writeReordered, if mirroring was enabled and a character
expanded during mirroring (e.g. U+221D mirrors to U+1DB10, expanding
from 1 to 2 UTF-16 code units), doWriteForward returned the expanded
length. ubidi_writeReordered then used this expanded length to index
dirProps at line 651, leading to out-of-bounds read and undefined shift.

This CL fixes this by:

  1. Using the original run length to index dirProps in ubidi_writeReordered.
  2. Fixing doWriteForward (mirroring and default cases) and doWriteReverse
    (default case) to correctly check destination buffer capacity during
    write, accounting for mirroring expansion, and perform correct preflighting.
  3. Fixing a logical bug in doWriteReverse where copying of combining
    characters was using incorrect index due to assuming mirrored character
    has same length as original.

Adds unit tests to cintltst verifying the fixes.
Also add Java unit test and fix the java.

Checklist

  • Required: Issue filed: ICU-23450
  • Required: The PR title must be prefixed with a JIRA Issue number. Example: "ICU-NNNNN Fix xyz"
  • Required: Each commit message must be prefixed with a JIRA Issue number. Example: "ICU-NNNNN Fix xyz"
  • Issue accepted (done by Technical Committee after discussion)
  • Tests included, if applicable
  • API docs and/or User Guide docs changed or added, if applicable
  • Approver: Feel free to merge on my behalf

@FrankYFTang FrankYFTang requested a review from roubert June 30, 2026 23:31
@markusicu markusicu self-assigned this Jul 1, 2026
@jira-pull-request-webhook

Copy link
Copy Markdown

Hooray! The files in the branch are the same across the force-push. 😃

~ Your Friendly Jira-GitHub PR Checker Bot

@FrankYFTang FrankYFTang requested a review from markusicu July 2, 2026 00:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants