From 4e48132b27ec67ca0425e5d90d3863cab4d209f2 Mon Sep 17 00:00:00 2001
From: Alex Malyshev <alexanderm@fb.com>
Date: Tue, 13 May 2014 13:36:13 -0700
Subject: [PATCH] Mitigate buffer overflow in ICU

Summary: There's a buffer overflow in ures_getByKeyWithFallback, where it's using
a buffer of size 256 to store a string without checking the length of
the input string. This diff stops us from passing strings of length 256
(including nul terminator) to ures_getByKeyWithFallback from
get_icu_display_value.

Reviewed By: @fredemmott

Differential Revision: D1337608
---
 hphp/runtime/ext/icu/ext_icu_locale.cpp                |  8 ++++++--
 hphp/test/slow/locale/locale-stack-overflow.php        | 10 ++++++++++
 hphp/test/slow/locale/locale-stack-overflow.php.expect |  0
 3 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 hphp/test/slow/locale/locale-stack-overflow.php
 create mode 100644 hphp/test/slow/locale/locale-stack-overflow.php.expect

diff --git a/hphp/runtime/ext/icu/ext_icu_locale.cpp b/hphp/runtime/ext/icu/ext_icu_locale.cpp
index 93d4411640b..cbe724ed2f9 100644
--- a/hphp/runtime/ext/icu/ext_icu_locale.cpp
+++ b/hphp/runtime/ext/icu/ext_icu_locale.cpp
@@ -205,8 +205,8 @@ static Variant get_icu_value(const String &locale, LocaleTag tag,
   return false;
 }
 
-static Variant get_icu_display_value(const String &locale,
-                                     const String &disp_locale,
+static Variant get_icu_display_value(const String& locale,
+                                     const String& disp_locale,
                                      LocaleTag tag) {
   String locname(locale);
   if (tag != LOC_DISPLAY) {
@@ -220,6 +220,10 @@ static Variant get_icu_display_value(const String &locale,
     }
   }
 
+  // Hack around buffer overflow in libicu. ures_getByKeyWithFallback is a
+  // silly function.
+  if (locname.size() >= 255 || disp_locale.size() >= 255) return false;
+
   int32_t (*ulocfunc)(const char *loc, const char *dloc,
                       UChar *dest, int32_t destcap, UErrorCode *err);
   switch (tag) {
diff --git a/hphp/test/slow/locale/locale-stack-overflow.php b/hphp/test/slow/locale/locale-stack-overflow.php
new file mode 100644
index 00000000000..cbec1794ccd
--- /dev/null
+++ b/hphp/test/slow/locale/locale-stack-overflow.php
@@ -0,0 +1,10 @@
+<?php
+
+function test($len) {
+  return locale_get_display_name(str_repeat('*', $len), 'a');
+}
+
+test(254);
+test(255);
+test(256);
+test(257);
diff --git a/hphp/test/slow/locale/locale-stack-overflow.php.expect b/hphp/test/slow/locale/locale-stack-overflow.php.expect
new file mode 100644
index 00000000000..e69de29bb2d
-- 
2.11.4.GIT