Closed Bug 1871635 Opened 2 years ago Closed 1 year ago

buffer overflow in ICU toLanguageTag

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Version:
Firefox 121
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1927706

People

(Reporter: d4ni31, Unassigned)

References

Details

(Keywords: reporter-external, sec-other)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

Steps to reproduce:

Title

  • Mozilla Firefox toLanguateTag buffer overflow Vulnerability

Summary

  • A buffer overflow Vulnerability exists in the ICU toLanguateTag.
  • It was already patched in ICU Project 3 months ago, but it was not merged into Firefox.

ICU Project Patch Commit

Patch

icu4c/source/common/uloc_tag.cpp
@@ -1952,8 +1952,8 @@ _appendPrivateuseToLanguageTag(const char* localeID, icu::ByteSink& sink, UBool

                            len = (int32_t)uprv_strlen(PRIVUSE_VARIANT_PREFIX);
                            if (reslen < capacity) {
                                uprv_memcpy(tmpAppend + reslen, PRIVUSE_VARIANT_PREFIX, uprv_min(len, capacity - reslen));
+                               reslen += uprv_min(len, capacity - reslen);
                            }
-                           reslen += len;

                            if (reslen < capacity) {
                                tmpAppend[reslen++] = SEP;
@@ -1965,8 +1965,8 @@ _appendPrivateuseToLanguageTag(const char* localeID, icu::ByteSink& sink, UBool
                        len = (int32_t)uprv_strlen(pPriv);
                        if (reslen < capacity) {
                            uprv_memcpy(tmpAppend + reslen, pPriv, uprv_min(len, capacity - reslen));
+                           reslen += uprv_min(len, capacity - reslen);
                        }
-                       reslen += len;
                    }
                }
                /* reset private use starting position */
@@ -1984,6 +1984,7 @@ _appendPrivateuseToLanguageTag(const char* localeID, icu::ByteSink& sink, UBool

    if (U_SUCCESS(*status)) {
        len = reslen;
+       U_ASSERT(reslen <= capacity);
        sink.Append(tmpAppend, len);
    }
}
Group: firefox-core-security → layout-core-security
Component: Untriaged → Internationalization
Product: Firefox → Core

Thank you for this. My understanding from looking at the code is that if we called this API incorrectly, we might be vulnerable, but it would require an unexpected locale (i.e. one with a large tag) to be present; and that isn't triggerable from website Javascript. If anyone thinks that is not the case, please needinfo me.

Keywords: sec-other
Summary: buffer overflow in ICU toLanguateTag → buffer overflow in ICU toLanguageTag

This will be fixed by bug 1859752.

Severity: -- → S3
Depends on: 1859752

Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external keyword to security bugs found by non-employees for accounting reasons

Keywords: reporter-external
Flags: sec-bounty?
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1927706
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.