From 81618f4a97688404e20d74d1697cb18dfb24a877 Mon Sep 17 00:00:00 2001
From: Andy Heninger <andy.heninger@gmail.com>
Date: Mon, 19 Sep 2011 20:48:29 +0000
Subject: [PATCH] ICU-8824 Apply patch to remove read of unitialized memory.

X-SVN-Rev: 30688
---
 icu4c/source/i18n/rematch.cpp | 36 +++++++++++++++++++++--------------
 1 file changed, 22 insertions(+), 14 deletions(-)

diff --git a/icu4c/source/i18n/rematch.cpp b/icu4c/source/i18n/rematch.cpp
index 4bd50ef0e3..f964999a6b 100644
--- a/icu4c/source/i18n/rematch.cpp
+++ b/icu4c/source/i18n/rematch.cpp
@@ -5641,6 +5641,7 @@ GC_Done:
                     const UChar *foldChars = NULL;
                     int32_t foldOffset, foldLength;
                     UChar32 c;
+                    UBool c_is_valid = FALSE;
                     
                     #ifdef REGEX_SMART_BACKTRACKING
                     int32_t originalInputIdx = fp->fInputIdx;
@@ -5650,23 +5651,31 @@ GC_Done:
                     foldOffset = foldLength = 0;
 
                     while (patternChars < patternEnd && success) {
-                        if(foldOffset < foldLength) {
-                            U16_NEXT_UNSAFE(foldChars, foldOffset, c);
-                        } else {
-                            U16_NEXT(inputBuf, fp->fInputIdx, fActiveLimit, c);
-                            foldLength = ucase_toFullFolding(csp, c, &foldChars, U_FOLD_CASE_DEFAULT);
-                            if(foldLength >= 0) {
-                                if(foldLength <= UCASE_MAX_STRING_LENGTH) {   // !!!: Does not correctly handle chars that fold to 0-length strings
-                                    foldOffset = 0;
-                                    U16_NEXT_UNSAFE(foldChars, foldOffset, c);
-                                } else {
-                                    c = foldLength;
-                                    foldLength = foldOffset; // to avoid reading chars from the folding buffer
+                        if (fp->fInputIdx < fActiveLimit) {  // don't read past end of string
+                            if(foldOffset < foldLength) {
+                                U16_NEXT_UNSAFE(foldChars, foldOffset, c);
+                                c_is_valid = TRUE;
+                            } else {
+                                // test pre-condition of U16_NEXT: i < length
+                                U_ASSERT(fp->fInputIdx < fActiveLimit);
+                                U16_NEXT(inputBuf, fp->fInputIdx, fActiveLimit, c);
+                                c_is_valid = TRUE;
+                                foldLength = ucase_toFullFolding(csp, c, &foldChars, U_FOLD_CASE_DEFAULT);
+                                if(foldLength >= 0) {
+                                    if(foldLength <= UCASE_MAX_STRING_LENGTH) {   // !!!: Does not correctly handle chars that fold to 0-length strings
+                                        foldOffset = 0;
+                                        U16_NEXT_UNSAFE(foldChars, foldOffset, c);
+                                    } else {
+                                        c = foldLength;
+                                        foldLength = foldOffset; // to avoid reading chars from the folding buffer
+                                    }
                                 }
                             }
+                        } else {
+                          c_is_valid = FALSE;
                         }
                         
-                        if (fp->fInputIdx <= fActiveLimit) {
+                        if (fp->fInputIdx <= fActiveLimit && c_is_valid) {
                             if (U_IS_BMP(c)) {
                                 success = (*patternChars == c);
                                 patternChars += 1;
@@ -6113,4 +6122,3 @@ UOBJECT_DEFINE_RTTI_IMPLEMENTATION(RegexMatcher)
 U_NAMESPACE_END
 
 #endif  // !UCONFIG_NO_REGULAR_EXPRESSIONS
-