Closed Bug 1871634 Opened 2 years ago Closed 2 years ago

buffer overflow in ICU _appendKeywordsToLanguageTag

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Version:
Firefox 121
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: d4ni31, Unassigned)

Details

(Whiteboard: [Gecko not affected])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

Steps to reproduce:

Title

  • Mozilla Firefox _appendKeywordsToLanguageTag buffer overflow Vulnerability

Summary

  • A buffer overflow Vulnerability exists in the ICU uloc_tag _appendKeywordsToLanguageTag function.
  • It was already patched in ICU Project 3 months ago, but it was not merged into Firefox.

ICU Project Patch Commit

Patch

icu4c/source/common/uloc_tag.cpp
@@ -1326,14 +1326,23 @@ _appendKeywordsToLanguageTag(const char* localeID, icu::ByteSink& sink, UBool st

                        attrBufLength = 0;
                        for (; i < len; i++) {
                            if (buf[i] != '-') {
-                               attrBuf[attrBufLength++] = buf[i];
+                               if (static_cast<size_t>(attrBufLength) < sizeof(attrBuf)) {
+                                   attrBuf[attrBufLength++] = buf[i];
+                               } else {
+                                   *status = U_ILLEGAL_ARGUMENT_ERROR;
+                                   return;
+                               }
                            } else {
                                i++;
                                break;
                            }
                        }
                        if (attrBufLength > 0) {
-                           attrBuf[attrBufLength] = 0;
+                           if (static_cast<size_t>(attrBufLength) < sizeof(attrBuf)) {
+                               attrBuf[attrBufLength] = 0;
+                           } else {
+                               *status = U_STRING_NOT_TERMINATED_WARNING;
+                           }

                        } else if (i >= len){
                            break;
Group: firefox-core-security → layout-core-security
Component: Untriaged → Internationalization
Product: Firefox → Core
Flags: needinfo?(tom)

This code appears to be unused, or at least untested, in our tree.

Group: layout-core-security → javascript-core-security
Component: Internationalization → JavaScript: Internationalization API

Correct, this code is not used in firefox, especially not where an attacker could trigger the vulnerability.

Component: JavaScript: Internationalization API → Internationalization
Flags: needinfo?(tom)
Group: javascript-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
Whiteboard: [Gecko not affected]
You need to log in before you can comment on or make changes to this bug.