• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Index: source/common/uloc.c
2===================================================================
3--- source/common/uloc.c	(revision 68397)
4+++ source/common/uloc.c	(working copy)
5@@ -693,6 +693,13 @@
6                     keywordList[numKeywords].keyword[n++] = uprv_tolower(pos[i]);
7                 }
8             }
9+
10+            /* zero-length keyword is an error. */
11+            if (n == 0) {
12+                *status = U_INVALID_FORMAT_ERROR;
13+                return 0;
14+            }
15+
16             keywordList[numKeywords].keyword[n] = 0;
17             keywordList[numKeywords].keywordLen = n;
18             /* now grab the value part. First we skip the '=' */
19@@ -701,8 +708,15 @@
20             while(*equalSign == ' ') {
21                 equalSign++;
22             }
23+
24+            /* Premature end or zero-length value */
25+            if (!equalSign || equalSign == semicolon) {
26+                *status = U_INVALID_FORMAT_ERROR;
27+                return 0;
28+            }
29+
30             keywordList[numKeywords].valueStart = equalSign;
31-
32+
33             pos = semicolon;
34             i = 0;
35             if(pos) {
36@@ -713,7 +727,7 @@
37                 pos++;
38             } else {
39                 i = (int32_t)uprv_strlen(equalSign);
40-                while(equalSign[i-1] == ' ') {
41+                while(i && equalSign[i-1] == ' ') {
42                     i--;
43                 }
44                 keywordList[numKeywords].valueLen = i;
45@@ -1797,7 +1811,7 @@
46                 int32_t variantLen = _deleteVariant(variant, uprv_min(variantSize, (nameCapacity-len)), variantToCompare, n);
47                 len -= variantLen;
48                 if (variantLen > 0) {
49-                    if (name[len-1] == '_') { /* delete trailing '_' */
50+                    if (len > 0 && name[len-1] == '_') { /* delete trailing '_' */
51                         --len;
52                     }
53                     addKeyword = VARIANT_MAP[j].keyword;
54@@ -1805,7 +1819,7 @@
55                     break;
56                 }
57             }
58-            if (name[len-1] == '_') { /* delete trailing '_' */
59+            if (len > 0 && len <= nameCapacity && name[len-1] == '_') { /* delete trailing '_' */
60                 --len;
61             }
62         }
63Index: source/common/uresbund.c
64===================================================================
65--- source/common/uresbund.c	(revision 122103)
66+++ source/common/uresbund.c	(working copy)
67@@ -319,7 +319,7 @@
68     UResourceDataEntry *r = NULL;
69     UResourceDataEntry find;
70     /*int32_t hashValue;*/
71-    char name[96];
72+    char name[100];
73     char aliasName[100] = { 0 };
74     int32_t aliasLen = 0;
75     /*UBool isAlias = FALSE;*/
76@@ -528,8 +528,8 @@
77     UBool hasChopped = TRUE;
78     UBool usingUSRData = U_USE_USRDATA && ( path == NULL || uprv_strncmp(path,U_ICUDATA_NAME,8) == 0);
79
80-    char name[96];
81-    char usrDataPath[96];
82+    char name[100];
83+    char usrDataPath[100];
84
85     initCache(status);
86
87