From unknown Fri Aug 15 15:56:00 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#26571: [PATCH 1/1] gnu: icu4c: Fix CVE-2017-{7867,7868}.
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Wed, 19 Apr 2017 23:54:02 +0000
Resent-Message-ID: <handler.26571.B.14926460219094@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 26571
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 26571@debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.14926460219094
          (code B ref -1); Wed, 19 Apr 2017 23:54:02 +0000
Received: (at submit) by debbugs.gnu.org; 19 Apr 2017 23:53:41 +0000
Received: from localhost ([127.0.0.1]:57638 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1d0zPp-0002Mb-2Q
	for submit@debbugs.gnu.org; Wed, 19 Apr 2017 19:53:41 -0400
Received: from eggs.gnu.org ([208.118.235.92]:39860)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1d0zPl-0002MK-6l
 for submit@debbugs.gnu.org; Wed, 19 Apr 2017 19:53:39 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1d0zPe-0001kj-EF
 for submit@debbugs.gnu.org; Wed, 19 Apr 2017 19:53:32 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:33103)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1d0zPe-0001ke-An
 for submit@debbugs.gnu.org; Wed, 19 Apr 2017 19:53:30 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59059)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1d0zPc-0003hj-2P
 for guix-patches@gnu.org; Wed, 19 Apr 2017 19:53:30 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1d0zPY-0001jW-V7
 for guix-patches@gnu.org; Wed, 19 Apr 2017 19:53:28 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:44429)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1d0zPY-0001jG-LY
 for guix-patches@gnu.org; Wed, 19 Apr 2017 19:53:24 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id BEC0520F2B;
 Wed, 19 Apr 2017 19:53:22 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Wed, 19 Apr 2017 19:53:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:message-id:subject:to:x-me-sender:x-me-sender
 :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=uP6kcQE3BA96IlN8xGgUKPIE238
 DpSiZYMpo4H0GbZ4=; b=X1yhbeKLMOui0eqhy09fyr69FzZu5WCFACD7Oe8SsaS
 TN4QeYYNFcGG13vebhyF2tbbcAxxPOqn37mHddpCEVbbGkW/ym/CSVskQMnC3BGG
 +x8B4YOydyvNk5r17YFS1+YyQNnd49tKgW2zzeA1VlHeDLFoLuBIwbnhRL+hLMCc
 =
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=date:from:message-id:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=uP6kcQ
 E3BA96IlN8xGgUKPIE238DpSiZYMpo4H0GbZ4=; b=GYS5Yke7aybWySvF46/jP4
 7t155yYue1rTpliA4hnx/5kvCyOcDW8p+GbGsTvLZu1mANchrLZ0I6ixRZFGG+Hy
 YtIuJPP4ycEEf7HHHbExHPO668GbErwFKnYIZecbXiHAn4VVudrB04UstmR1roAu
 AK3B3/AaCCC1EQfFZ5ij7hbt1Ohp5sReuytgzwOUVdRBdx03hI4ub3i5bL5DJzH4
 HKU8R1O7atLZdsLXMNv3WP3Fy1WAN97PScvAovTS67ZjVuIs7IR/YyqRIuXBtWlm
 Y7S23LJR7FgVlQdo3lXsOUVXCX2TCGbNzjlH72UTsJn1lOLM+zYpJyjR5owu71SA
 ==
X-ME-Sender: <xms:cvj3WCMl5LcWFEbRp-ahunbQfHsW7gKcmv4QcLtmnZRXUbY7x9LllQ>
X-Sasl-enc: GqO7sFPPaO2D7NLkTbavYSSd5NItBedb4cRupDuVTJGH 1492646001
Received: from localhost.localdomain (unknown [173.12.58.121])
 by mail.messagingengine.com (Postfix) with ESMTPA id E262D7E168
 for <guix-patches@gnu.org>; Wed, 19 Apr 2017 19:53:21 -0400 (EDT)
From: Leo Famulari <leo@famulari.name>
Date: Wed, 19 Apr 2017 19:52:13 -0400
Message-Id: <e4b85386c577a1fd1fa8883616b7509ef3e0be45.1492645933.git.leo@famulari.name>
X-Mailer: git-send-email 2.12.2
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)

* gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/icu4c.scm (icu4c/fixed)[source]: Use it.
---
 gnu/local.mk                                       |   1 +
 gnu/packages/icu4c.scm                             |   3 +-
 .../icu4c-CVE-2017-7867-CVE-2017-7868.patch        | 164 +++++++++++++++++++++
 3 files changed, 167 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 6e0c3eb42..90268c485 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -657,6 +657,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hypre-ldflags.patch			\
   %D%/packages/patches/icecat-avoid-bundled-libraries.patch	\
   %D%/packages/patches/icecat-binutils.patch			\
+  %D%/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch	\
   %D%/packages/patches/icu4c-reset-keyword-list-iterator.patch	\
   %D%/packages/patches/id3lib-CVE-2007-4460.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm
index 2b5144100..9f465b102 100644
--- a/gnu/packages/icu4c.scm
+++ b/gnu/packages/icu4c.scm
@@ -73,4 +73,5 @@ C/C++ part.")
     (source (origin
               (inherit (package-source icu4c))
               (patches
-               (search-patches "icu4c-reset-keyword-list-iterator.patch"))))))
+               (search-patches "icu4c-CVE-2017-7867-CVE-2017-7868.patch"
+                               "icu4c-reset-keyword-list-iterator.patch"))))))
diff --git a/gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch b/gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch
new file mode 100644
index 000000000..4db8f2799
--- /dev/null
+++ b/gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch
@@ -0,0 +1,164 @@
+Fix CVE-2017-7867 and CVE-2017-7868:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7867
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7868
+
+Patch copied from upstream source repository:
+
+http://bugs.icu-project.org/trac/changeset/39671
+
+Index: icu/source/common/utext.cpp
+===================================================================
+--- icu/source/common/utext.cpp	(revision 39670)
++++ icu/source/common/utext.cpp	(revision 39671)
+@@ -848,7 +848,13 @@
+ 
+ // Chunk size.
+-//     Must be less than 85, because of byte mapping from UChar indexes to native indexes.
+-//     Worst case is three native bytes to one UChar.  (Supplemenaries are 4 native bytes
+-//     to two UChars.)
++//     Must be less than 42  (256/6), because of byte mapping from UChar indexes to native indexes.
++//     Worst case there are six UTF-8 bytes per UChar.
++//         obsolete 6 byte form fd + 5 trails maps to fffd
++//         obsolete 5 byte form fc + 4 trails maps to fffd
++//         non-shortest 4 byte forms maps to fffd
++//         normal supplementaries map to a pair of utf-16, two utf8 bytes per utf-16 unit
++//     mapToUChars array size must allow for the worst case, 6.
++//     This could be brought down to 4, by treating fd and fc as pure illegal,
++//     rather than obsolete lead bytes. But that is not compatible with the utf-8 access macros.
+ //
+ enum { UTF8_TEXT_CHUNK_SIZE=32 };
+@@ -890,5 +896,5 @@
+                                                      //    one for a supplementary starting in the last normal position,
+                                                      //    and one for an entry for the buffer limit position.
+-    uint8_t   mapToUChars[UTF8_TEXT_CHUNK_SIZE*3+6]; // Map native offset from bufNativeStart to
++    uint8_t   mapToUChars[UTF8_TEXT_CHUNK_SIZE*6+6]; // Map native offset from bufNativeStart to
+                                                      //   correspoding offset in filled part of buf.
+     int32_t   align;
+@@ -1033,4 +1039,5 @@
+             u8b = (UTF8Buf *)ut->p;   // the current buffer
+             mapIndex = ix - u8b->toUCharsMapStart;
++            U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars));
+             ut->chunkOffset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
+             return TRUE;
+@@ -1299,4 +1306,8 @@
+         //   If index is at the end, there is no character there to look at.
+         if (ix != ut->b) {
++            // Note: this function will only move the index back if it is on a trail byte
++            //       and there is a preceding lead byte and the sequence from the lead 
++            //       through this trail could be part of a valid UTF-8 sequence
++            //       Otherwise the index remains unchanged.
+             U8_SET_CP_START(s8, 0, ix);
+         }
+@@ -1312,5 +1323,8 @@
+         uint8_t *mapToNative = u8b->mapToNative;
+         uint8_t *mapToUChars = u8b->mapToUChars;
+-        int32_t  toUCharsMapStart = ix - (UTF8_TEXT_CHUNK_SIZE*3 + 1);
++        int32_t  toUCharsMapStart = ix - sizeof(UTF8Buf::mapToUChars) + 1;
++        // Note that toUCharsMapStart can be negative. Happens when the remaining
++        // text from current position to the beginning is less than the buffer size.
++        // + 1 because mapToUChars must have a slot at the end for the bufNativeLimit entry.
+         int32_t  destIx = UTF8_TEXT_CHUNK_SIZE+2;   // Start in the overflow region
+                                                     //   at end of buffer to leave room
+@@ -1339,4 +1353,5 @@
+                 // Special case ASCII range for speed.
+                 buf[destIx] = (UChar)c;
++                U_ASSERT(toUCharsMapStart <= srcIx);
+                 mapToUChars[srcIx - toUCharsMapStart] = (uint8_t)destIx;
+                 mapToNative[destIx] = (uint8_t)(srcIx - toUCharsMapStart);
+@@ -1368,4 +1383,5 @@
+                     mapToUChars[sIx-- - toUCharsMapStart] = (uint8_t)destIx;
+                 } while (sIx >= srcIx);
++                U_ASSERT(toUCharsMapStart <= (srcIx+1));
+ 
+                 // Set native indexing limit to be the current position.
+@@ -1542,4 +1558,5 @@
+     U_ASSERT(index<=ut->chunkNativeLimit);
+     int32_t mapIndex = index - u8b->toUCharsMapStart;
++    U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars));
+     int32_t offset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
+     U_ASSERT(offset>=0 && offset<=ut->chunkLength);
+Index: icu/source/test/intltest/utxttest.cpp
+===================================================================
+--- icu/source/test/intltest/utxttest.cpp	(revision 39670)
++++ icu/source/test/intltest/utxttest.cpp	(revision 39671)
+@@ -68,4 +68,6 @@
+         case 7: name = "Ticket12130";
+             if (exec) Ticket12130(); break;
++        case 8: name = "Ticket12888";
++            if (exec) Ticket12888(); break;
+         default: name = "";          break;
+     }
+@@ -1584,2 +1586,62 @@
+     utext_close(&ut);
+ }
++
++// Ticket 12888: bad handling of illegal utf-8 containing many instances of the archaic, now illegal,
++//               six byte utf-8 forms. Original implementation had an assumption that
++//               there would be at most three utf-8 bytes per UTF-16 code unit.
++//               The five and six byte sequences map to a single replacement character.
++
++void UTextTest::Ticket12888() {
++    const char *badString = 
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80";
++
++    UErrorCode status = U_ZERO_ERROR;
++    LocalUTextPointer ut(utext_openUTF8(NULL, badString, -1, &status));
++    TEST_SUCCESS(status);
++    for (;;) {
++        UChar32 c = utext_next32(ut.getAlias());
++        if (c == U_SENTINEL) {
++            break;
++        }
++    }
++    int32_t endIdx = utext_getNativeIndex(ut.getAlias());
++    if (endIdx != (int32_t)strlen(badString)) {
++        errln("%s:%d expected=%d, actual=%d", __FILE__, __LINE__, strlen(badString), endIdx);
++        return;
++    }
++
++    for (int32_t prevIndex = endIdx; prevIndex>0;) {
++        UChar32 c = utext_previous32(ut.getAlias());
++        int32_t currentIndex = utext_getNativeIndex(ut.getAlias());
++        if (c != 0xfffd) {
++            errln("%s:%d (expected, actual, index) = (%d, %d, %d)\n",
++                    __FILE__, __LINE__, 0xfffd, c, currentIndex);
++            break;
++        }
++        if (currentIndex != prevIndex - 6) {
++            errln("%s:%d: wrong index. Expected, actual = %d, %d",
++                    __FILE__, __LINE__, prevIndex - 6, currentIndex);
++            break;
++        }
++        prevIndex = currentIndex;
++    }
++}
+Index: icu/source/test/intltest/utxttest.h
+===================================================================
+--- icu/source/test/intltest/utxttest.h	(revision 39670)
++++ icu/source/test/intltest/utxttest.h	(revision 39671)
+@@ -39,4 +39,5 @@
+     void Ticket10983();
+     void Ticket12130();
++    void Ticket12888();
+ 
+ private:
-- 
2.12.2





From unknown Fri Aug 15 15:56:00 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#26571: [PATCH 1/1] gnu: icu4c: Fix CVE-2017-{7867,7868}.
Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Thu, 20 Apr 2017 12:18:02 +0000
Resent-Message-ID: <handler.26571.B26571.149269062710098@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 26571
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Leo Famulari <leo@famulari.name>
Cc: 26571@debbugs.gnu.org
Received: via spool by 26571-submit@debbugs.gnu.org id=B26571.149269062710098
          (code B ref 26571); Thu, 20 Apr 2017 12:18:02 +0000
Received: (at 26571) by debbugs.gnu.org; 20 Apr 2017 12:17:07 +0000
Received: from localhost ([127.0.0.1]:58068 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1d1B1G-0002cn-MG
	for submit@debbugs.gnu.org; Thu, 20 Apr 2017 08:17:06 -0400
Received: from eggs.gnu.org ([208.118.235.92]:52501)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1d1B1B-0002bY-20
 for 26571@debbugs.gnu.org; Thu, 20 Apr 2017 08:17:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1d1B12-0000UM-6o
 for 26571@debbugs.gnu.org; Thu, 20 Apr 2017 08:16:56 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:34415)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1d1B12-0000UF-3X; Thu, 20 Apr 2017 08:16:52 -0400
Received: from [193.50.110.185] (port=45834 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1d1B11-0004gS-F9; Thu, 20 Apr 2017 08:16:51 -0400
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
References: <e4b85386c577a1fd1fa8883616b7509ef3e0be45.1492645933.git.leo@famulari.name>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 1 =?UTF-8?Q?Flor=C3=A9al?= an 225 de la =?UTF-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-unknown-linux-gnu
Date: Thu, 20 Apr 2017 14:16:49 +0200
In-Reply-To: <e4b85386c577a1fd1fa8883616b7509ef3e0be45.1492645933.git.leo@famulari.name>
 (Leo Famulari's message of "Wed, 19 Apr 2017 19:52:13 -0400")
Message-ID: <8737d31dfy.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/icu4c.scm (icu4c/fixed)[source]: Use it.

LGTM.

Thank you!

Ludo=E2=80=99.




From unknown Fri Aug 15 15:56:00 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo@famulari.name>
Subject: bug#26571: closed (Re: bug#26571: [PATCH 1/1] gnu: icu4c: Fix
 CVE-2017-{7867,7868}.)
Message-ID: <handler.26571.D26571.14927040297390.notifdone@debbugs.gnu.org>
References: <20170420160019.GA3297@jasmine>
 <e4b85386c577a1fd1fa8883616b7509ef3e0be45.1492645933.git.leo@famulari.name>
X-Gnu-PR-Message: they-closed 26571
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 26571@debbugs.gnu.org
Date: Thu, 20 Apr 2017 16:01:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1492704062-7440-1"

This is a multi-part message in MIME format...

------------=_1492704062-7440-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#26571: [PATCH 1/1] gnu: icu4c: Fix CVE-2017-{7867,7868}.

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 26571@debbugs.gnu.org.

--=20
26571: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D26571
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1492704062-7440-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 26571-done) by debbugs.gnu.org; 20 Apr 2017 16:00:29 +0000
Received: from localhost ([127.0.0.1]:59218 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1d1EVR-0001v8-Ee
	for submit@debbugs.gnu.org; Thu, 20 Apr 2017 12:00:29 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:32769)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1d1EVO-0001ux-5O
 for 26571-done@debbugs.gnu.org; Thu, 20 Apr 2017 12:00:28 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 6B11F20BD8;
 Thu, 20 Apr 2017 12:00:24 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Thu, 20 Apr 2017 12:00:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=StH+nbD3Ax29iaVqHYpDkHSCMOyb+64Rx5dLki
 FtZFc=; b=V5jzy9pl5cHKkzOztD9UANg9c4urGC4X50a5XdTqTDGeIgGLSvjtmh
 5qXNceNT+Akp7+mcDahGj0vfLONp2gLwyBrf9CQpjE4EovyMj2YOvcXxUGMLpN2l
 76IexNmfJcjyd48qOgKiTjd8pdcOEEK3dr4LYwn80mxLvN4oC1puc=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=StH+nbD3Ax29iaVqHY
 pDkHSCMOyb+64Rx5dLkiFtZFc=; b=QLHzDDtyjqnCEIHqyO3v7iiLjUSggvi0qV
 jejtvhfcL1SihKtFrI0h/sopo8XWNJW+fyB324GenzUplSfAR/MkXspZLz6fBUzk
 qH/YWuKbjo8E0RYkZ8WjJSqw43vPaB3jf/UWjHsB0LLv69VRVUlwnu+rACEEvos6
 lqAMGcyHbogXLr2YWBPpXe3RiWcVcWZXvSLQdQ0XSWW6UnutXY+3iNREH49ggIeE
 RsMCVzPJAISTJQkwswOyWZoz+kmy2lkozicOnySRLOJneKVqrZvY8vFYbUDE/ovh
 E2d/de6Ymv3orCaFp8829qiR5mlO3HLAUNddq/2d03rZtXSwgMTQ==
X-ME-Sender: <xms:GNv4WGsJkOvrgeOYYqNiQ5ql0vpJvNpuHIuTb5Ml6-lvHoczTiIbLQ>
X-Sasl-enc: Oy8R9IsiKCT0vVTq9X7537leOUc8Uc1FsxLgGzD7mekR 1492704023
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id E873F240A5
 for <26571-done@debbugs.gnu.org>; Thu, 20 Apr 2017 12:00:23 -0400 (EDT)
Date: Thu, 20 Apr 2017 12:00:19 -0400
From: Leo Famulari <leo@famulari.name>
Subject: Re: bug#26571: [PATCH 1/1] gnu: icu4c: Fix CVE-2017-{7867,7868}.
Message-ID: <20170420160019.GA3297@jasmine>
References: <e4b85386c577a1fd1fa8883616b7509ef3e0be45.1492645933.git.leo@famulari.name>
 <8737d31dfy.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK"
Content-Disposition: inline
In-Reply-To: <8737d31dfy.fsf@gnu.org>
User-Agent: Mutt/1.8.1 (2017-04-11)
X-Spam-Score: 0.5 (/)
X-Debbugs-Envelope-To: 26571-done
Cc: 26571-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.5 (/)


--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Apr 20, 2017 at 02:16:49PM +0200, Ludovic Court=E8s wrote:
> Leo Famulari <leo@famulari.name> skribis:
>=20
> > * gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch: New fil=
e.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/icu4c.scm (icu4c/fixed)[source]: Use it.
>=20
> LGTM.
>=20
> Thank you!

Thanks for the review! Pushed as
e795a3d2ce482d808f94e5be148e90d81c3765e0

--CE+1k2dSO48ffgeK
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlj42xMACgkQJkb6MLrK
fwiBqw/+MpjRYDPgIRSMu/cdFZowPVY3Udo8UC3l2aENJDuPKNjsMIy1iNEesfoZ
OID+7ls0Z+buMSkf2QVy6h0GQXFFi842c1EYUb/B3NDwKZ9bkSa3YtIcL5vPvc3e
N6ttlzoPsDrC4lh6g82TIr78BFjXBEI303xWLX133lZ3IEEZkTLoL9j697DZIpOC
robBUedbrIs2N/dCPBJWyHpM+TNBzpmdYgVU2HphPAccaFXGlT3TVJxMstRph8jD
RdxHssjKMNisvCw+eBIFVKAClmGcO2gunYqdauDo+keGJDDlXR8qci62Z4QbMxY0
18ojf3f0nmjvz93WHtmGFvtA8HfqWM7MmIF3snIjyVGMPAKh53CVy8HvVvvoFmeu
qWaasqpIywMNx43dK08tC7scIRqLvu7/SrQSCUMeGIVJnrrCpVVZu/C66c8ioeFO
j9SqdvukV779dzrVxxISUP995RYfedxoft9UqCcWl6OF31LwytXVRG9gVHA4wcpx
sBc2+Dmuf2kg5Q96ee32tU0mYReZrZ13bz+sGut7rT9E1KXbKBJmZBJCzOvkrdun
Z3EpWfG7aIwUm4m/TyoDgMXpU8u28scPvT6RBdCcfTYaNg7dQQOn5whP4HgOto7R
88NeRopQqfV3UUJFIJ/9aA5Wl3/JoxUfI7PF+GcPHMNhDHgVIPo=
=CdVS
-----END PGP SIGNATURE-----

--CE+1k2dSO48ffgeK--


------------=_1492704062-7440-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 19 Apr 2017 23:53:41 +0000
Received: from localhost ([127.0.0.1]:57638 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1d0zPp-0002Mb-2Q
	for submit@debbugs.gnu.org; Wed, 19 Apr 2017 19:53:41 -0400
Received: from eggs.gnu.org ([208.118.235.92]:39860)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1d0zPl-0002MK-6l
 for submit@debbugs.gnu.org; Wed, 19 Apr 2017 19:53:39 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1d0zPe-0001kj-EF
 for submit@debbugs.gnu.org; Wed, 19 Apr 2017 19:53:32 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:33103)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1d0zPe-0001ke-An
 for submit@debbugs.gnu.org; Wed, 19 Apr 2017 19:53:30 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59059)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1d0zPc-0003hj-2P
 for guix-patches@gnu.org; Wed, 19 Apr 2017 19:53:30 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1d0zPY-0001jW-V7
 for guix-patches@gnu.org; Wed, 19 Apr 2017 19:53:28 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:44429)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1d0zPY-0001jG-LY
 for guix-patches@gnu.org; Wed, 19 Apr 2017 19:53:24 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id BEC0520F2B;
 Wed, 19 Apr 2017 19:53:22 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Wed, 19 Apr 2017 19:53:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:message-id:subject:to:x-me-sender:x-me-sender
 :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=uP6kcQE3BA96IlN8xGgUKPIE238
 DpSiZYMpo4H0GbZ4=; b=X1yhbeKLMOui0eqhy09fyr69FzZu5WCFACD7Oe8SsaS
 TN4QeYYNFcGG13vebhyF2tbbcAxxPOqn37mHddpCEVbbGkW/ym/CSVskQMnC3BGG
 +x8B4YOydyvNk5r17YFS1+YyQNnd49tKgW2zzeA1VlHeDLFoLuBIwbnhRL+hLMCc
 =
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=date:from:message-id:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=uP6kcQ
 E3BA96IlN8xGgUKPIE238DpSiZYMpo4H0GbZ4=; b=GYS5Yke7aybWySvF46/jP4
 7t155yYue1rTpliA4hnx/5kvCyOcDW8p+GbGsTvLZu1mANchrLZ0I6ixRZFGG+Hy
 YtIuJPP4ycEEf7HHHbExHPO668GbErwFKnYIZecbXiHAn4VVudrB04UstmR1roAu
 AK3B3/AaCCC1EQfFZ5ij7hbt1Ohp5sReuytgzwOUVdRBdx03hI4ub3i5bL5DJzH4
 HKU8R1O7atLZdsLXMNv3WP3Fy1WAN97PScvAovTS67ZjVuIs7IR/YyqRIuXBtWlm
 Y7S23LJR7FgVlQdo3lXsOUVXCX2TCGbNzjlH72UTsJn1lOLM+zYpJyjR5owu71SA
 ==
X-ME-Sender: <xms:cvj3WCMl5LcWFEbRp-ahunbQfHsW7gKcmv4QcLtmnZRXUbY7x9LllQ>
X-Sasl-enc: GqO7sFPPaO2D7NLkTbavYSSd5NItBedb4cRupDuVTJGH 1492646001
Received: from localhost.localdomain (unknown [173.12.58.121])
 by mail.messagingengine.com (Postfix) with ESMTPA id E262D7E168
 for <guix-patches@gnu.org>; Wed, 19 Apr 2017 19:53:21 -0400 (EDT)
From: Leo Famulari <leo@famulari.name>
To: guix-patches@gnu.org
Subject: [PATCH 1/1] gnu: icu4c: Fix CVE-2017-{7867,7868}.
Date: Wed, 19 Apr 2017 19:52:13 -0400
Message-Id: <e4b85386c577a1fd1fa8883616b7509ef3e0be45.1492645933.git.leo@famulari.name>
X-Mailer: git-send-email 2.12.2
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)

* gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/icu4c.scm (icu4c/fixed)[source]: Use it.
---
 gnu/local.mk                                       |   1 +
 gnu/packages/icu4c.scm                             |   3 +-
 .../icu4c-CVE-2017-7867-CVE-2017-7868.patch        | 164 +++++++++++++++++++++
 3 files changed, 167 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 6e0c3eb42..90268c485 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -657,6 +657,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hypre-ldflags.patch			\
   %D%/packages/patches/icecat-avoid-bundled-libraries.patch	\
   %D%/packages/patches/icecat-binutils.patch			\
+  %D%/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch	\
   %D%/packages/patches/icu4c-reset-keyword-list-iterator.patch	\
   %D%/packages/patches/id3lib-CVE-2007-4460.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm
index 2b5144100..9f465b102 100644
--- a/gnu/packages/icu4c.scm
+++ b/gnu/packages/icu4c.scm
@@ -73,4 +73,5 @@ C/C++ part.")
     (source (origin
               (inherit (package-source icu4c))
               (patches
-               (search-patches "icu4c-reset-keyword-list-iterator.patch"))))))
+               (search-patches "icu4c-CVE-2017-7867-CVE-2017-7868.patch"
+                               "icu4c-reset-keyword-list-iterator.patch"))))))
diff --git a/gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch b/gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch
new file mode 100644
index 000000000..4db8f2799
--- /dev/null
+++ b/gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch
@@ -0,0 +1,164 @@
+Fix CVE-2017-7867 and CVE-2017-7868:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7867
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7868
+
+Patch copied from upstream source repository:
+
+http://bugs.icu-project.org/trac/changeset/39671
+
+Index: icu/source/common/utext.cpp
+===================================================================
+--- icu/source/common/utext.cpp	(revision 39670)
++++ icu/source/common/utext.cpp	(revision 39671)
+@@ -848,7 +848,13 @@
+ 
+ // Chunk size.
+-//     Must be less than 85, because of byte mapping from UChar indexes to native indexes.
+-//     Worst case is three native bytes to one UChar.  (Supplemenaries are 4 native bytes
+-//     to two UChars.)
++//     Must be less than 42  (256/6), because of byte mapping from UChar indexes to native indexes.
++//     Worst case there are six UTF-8 bytes per UChar.
++//         obsolete 6 byte form fd + 5 trails maps to fffd
++//         obsolete 5 byte form fc + 4 trails maps to fffd
++//         non-shortest 4 byte forms maps to fffd
++//         normal supplementaries map to a pair of utf-16, two utf8 bytes per utf-16 unit
++//     mapToUChars array size must allow for the worst case, 6.
++//     This could be brought down to 4, by treating fd and fc as pure illegal,
++//     rather than obsolete lead bytes. But that is not compatible with the utf-8 access macros.
+ //
+ enum { UTF8_TEXT_CHUNK_SIZE=32 };
+@@ -890,5 +896,5 @@
+                                                      //    one for a supplementary starting in the last normal position,
+                                                      //    and one for an entry for the buffer limit position.
+-    uint8_t   mapToUChars[UTF8_TEXT_CHUNK_SIZE*3+6]; // Map native offset from bufNativeStart to
++    uint8_t   mapToUChars[UTF8_TEXT_CHUNK_SIZE*6+6]; // Map native offset from bufNativeStart to
+                                                      //   correspoding offset in filled part of buf.
+     int32_t   align;
+@@ -1033,4 +1039,5 @@
+             u8b = (UTF8Buf *)ut->p;   // the current buffer
+             mapIndex = ix - u8b->toUCharsMapStart;
++            U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars));
+             ut->chunkOffset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
+             return TRUE;
+@@ -1299,4 +1306,8 @@
+         //   If index is at the end, there is no character there to look at.
+         if (ix != ut->b) {
++            // Note: this function will only move the index back if it is on a trail byte
++            //       and there is a preceding lead byte and the sequence from the lead 
++            //       through this trail could be part of a valid UTF-8 sequence
++            //       Otherwise the index remains unchanged.
+             U8_SET_CP_START(s8, 0, ix);
+         }
+@@ -1312,5 +1323,8 @@
+         uint8_t *mapToNative = u8b->mapToNative;
+         uint8_t *mapToUChars = u8b->mapToUChars;
+-        int32_t  toUCharsMapStart = ix - (UTF8_TEXT_CHUNK_SIZE*3 + 1);
++        int32_t  toUCharsMapStart = ix - sizeof(UTF8Buf::mapToUChars) + 1;
++        // Note that toUCharsMapStart can be negative. Happens when the remaining
++        // text from current position to the beginning is less than the buffer size.
++        // + 1 because mapToUChars must have a slot at the end for the bufNativeLimit entry.
+         int32_t  destIx = UTF8_TEXT_CHUNK_SIZE+2;   // Start in the overflow region
+                                                     //   at end of buffer to leave room
+@@ -1339,4 +1353,5 @@
+                 // Special case ASCII range for speed.
+                 buf[destIx] = (UChar)c;
++                U_ASSERT(toUCharsMapStart <= srcIx);
+                 mapToUChars[srcIx - toUCharsMapStart] = (uint8_t)destIx;
+                 mapToNative[destIx] = (uint8_t)(srcIx - toUCharsMapStart);
+@@ -1368,4 +1383,5 @@
+                     mapToUChars[sIx-- - toUCharsMapStart] = (uint8_t)destIx;
+                 } while (sIx >= srcIx);
++                U_ASSERT(toUCharsMapStart <= (srcIx+1));
+ 
+                 // Set native indexing limit to be the current position.
+@@ -1542,4 +1558,5 @@
+     U_ASSERT(index<=ut->chunkNativeLimit);
+     int32_t mapIndex = index - u8b->toUCharsMapStart;
++    U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars));
+     int32_t offset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
+     U_ASSERT(offset>=0 && offset<=ut->chunkLength);
+Index: icu/source/test/intltest/utxttest.cpp
+===================================================================
+--- icu/source/test/intltest/utxttest.cpp	(revision 39670)
++++ icu/source/test/intltest/utxttest.cpp	(revision 39671)
+@@ -68,4 +68,6 @@
+         case 7: name = "Ticket12130";
+             if (exec) Ticket12130(); break;
++        case 8: name = "Ticket12888";
++            if (exec) Ticket12888(); break;
+         default: name = "";          break;
+     }
+@@ -1584,2 +1586,62 @@
+     utext_close(&ut);
+ }
++
++// Ticket 12888: bad handling of illegal utf-8 containing many instances of the archaic, now illegal,
++//               six byte utf-8 forms. Original implementation had an assumption that
++//               there would be at most three utf-8 bytes per UTF-16 code unit.
++//               The five and six byte sequences map to a single replacement character.
++
++void UTextTest::Ticket12888() {
++    const char *badString = 
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80";
++
++    UErrorCode status = U_ZERO_ERROR;
++    LocalUTextPointer ut(utext_openUTF8(NULL, badString, -1, &status));
++    TEST_SUCCESS(status);
++    for (;;) {
++        UChar32 c = utext_next32(ut.getAlias());
++        if (c == U_SENTINEL) {
++            break;
++        }
++    }
++    int32_t endIdx = utext_getNativeIndex(ut.getAlias());
++    if (endIdx != (int32_t)strlen(badString)) {
++        errln("%s:%d expected=%d, actual=%d", __FILE__, __LINE__, strlen(badString), endIdx);
++        return;
++    }
++
++    for (int32_t prevIndex = endIdx; prevIndex>0;) {
++        UChar32 c = utext_previous32(ut.getAlias());
++        int32_t currentIndex = utext_getNativeIndex(ut.getAlias());
++        if (c != 0xfffd) {
++            errln("%s:%d (expected, actual, index) = (%d, %d, %d)\n",
++                    __FILE__, __LINE__, 0xfffd, c, currentIndex);
++            break;
++        }
++        if (currentIndex != prevIndex - 6) {
++            errln("%s:%d: wrong index. Expected, actual = %d, %d",
++                    __FILE__, __LINE__, prevIndex - 6, currentIndex);
++            break;
++        }
++        prevIndex = currentIndex;
++    }
++}
+Index: icu/source/test/intltest/utxttest.h
+===================================================================
+--- icu/source/test/intltest/utxttest.h	(revision 39670)
++++ icu/source/test/intltest/utxttest.h	(revision 39671)
+@@ -39,4 +39,5 @@
+     void Ticket10983();
+     void Ticket12130();
++    void Ticket12888();
+ 
+ private:
-- 
2.12.2




------------=_1492704062-7440-1--