ICU-8824 Apply patch to remove read of unitialized memory.

X-SVN-Rev: 30688
2011-09-19 20:48:29 +00:00 · 2011-09-19 20:48:29 +00:00 · 81618f4a97
commit 81618f4a97
parent df03c9748c
1 changed files with 22 additions and 14 deletions
--- a/icu4c/source/i18n/rematch.cpp
+++ b/icu4c/source/i18n/rematch.cpp
@ -5641,6 +5641,7 @@ GC_Done:
                    const UChar *foldChars = NULL;
                    int32_t foldOffset, foldLength;
                    UChar32 c;
+                    UBool c_is_valid = FALSE;
                    
                    #ifdef REGEX_SMART_BACKTRACKING
                    int32_t originalInputIdx = fp->fInputIdx;
@ -5650,23 +5651,31 @@ GC_Done:
                    foldOffset = foldLength = 0;

                    while (patternChars < patternEnd && success) {
-                        if(foldOffset < foldLength) {
-                            U16_NEXT_UNSAFE(foldChars, foldOffset, c);
-                        } else {
-                            U16_NEXT(inputBuf, fp->fInputIdx, fActiveLimit, c);
-                            foldLength = ucase_toFullFolding(csp, c, &foldChars, U_FOLD_CASE_DEFAULT);
-                            if(foldLength >= 0) {
-                                if(foldLength <= UCASE_MAX_STRING_LENGTH) {   // !!!: Does not correctly handle chars that fold to 0-length strings
-                                    foldOffset = 0;
-                                    U16_NEXT_UNSAFE(foldChars, foldOffset, c);
-                                } else {
-                                    c = foldLength;
-                                    foldLength = foldOffset; // to avoid reading chars from the folding buffer
+                        if (fp->fInputIdx < fActiveLimit) {  // don't read past end of string
+                            if(foldOffset < foldLength) {
+                                U16_NEXT_UNSAFE(foldChars, foldOffset, c);
+                                c_is_valid = TRUE;
+                            } else {
+                                // test pre-condition of U16_NEXT: i < length
+                                U_ASSERT(fp->fInputIdx < fActiveLimit);
+                                U16_NEXT(inputBuf, fp->fInputIdx, fActiveLimit, c);
+                                c_is_valid = TRUE;
+                                foldLength = ucase_toFullFolding(csp, c, &foldChars, U_FOLD_CASE_DEFAULT);
+                                if(foldLength >= 0) {
+                                    if(foldLength <= UCASE_MAX_STRING_LENGTH) {   // !!!: Does not correctly handle chars that fold to 0-length strings
+                                        foldOffset = 0;
+                                        U16_NEXT_UNSAFE(foldChars, foldOffset, c);
+                                    } else {
+                                        c = foldLength;
+                                        foldLength = foldOffset; // to avoid reading chars from the folding buffer
+                                    }
                                }
                            }
+                        } else {
+                          c_is_valid = FALSE;
                        }
                        
-                        if (fp->fInputIdx <= fActiveLimit) {
+                        if (fp->fInputIdx <= fActiveLimit && c_is_valid) {
                            if (U_IS_BMP(c)) {
                                success = (*patternChars == c);
                                patternChars += 1;
@ -6113,4 +6122,3 @@ UOBJECT_DEFINE_RTTI_IMPLEMENTATION(RegexMatcher)
 U_NAMESPACE_END

 #endif  // !UCONFIG_NO_REGULAR_EXPRESSIONS
-