head 1.2; access; symbols pkgsrc-2019Q1:1.1.0.4 pkgsrc-2019Q1-base:1.1 pkgsrc-2018Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2019.04.03.00.13.00; author ryoon; state dead; branches; next 1.1; commitid L6hn1Da9qey9QPhB; 1.1 date 2019.02.13.20.51.57; author spz; state Exp; branches 1.1.2.1; next ; commitid ixTGfzepGypIgEbB; 1.1.2.1 date 2019.02.13.20.51.57; author bsiegert; state dead; branches; next 1.1.2.2; commitid PfP9qOddV7PE8ZbB; 1.1.2.2 date 2019.02.16.11.43.16; author bsiegert; state Exp; branches; next ; commitid PfP9qOddV7PE8ZbB; desc @@ 1.2 log @Update to 64.1 Changelog: Common Changes Unicode 12: 554 new characters, including 4 new scripts and 61 new emoji characters. CLDR 35 Somali and Javanese data now up to modern level Cebuano, Hausa, Igbo, and Yoruba data now up to basic level 23 additional measurement units Many data additions and corrections in many other languages The following language has been added to ICU: Cebuano This version of ICU does not yet implement the Indic Grapheme Cluster improvements from CLDR 35. New Japanese calendar era from 2019: CLDR and ICU include data for testing that can be enabled. (ICU #12973, CLDR #10750) To enable CLDR new Japanese era placeholder name, set environment variable (and Java system property for ICU4J) ICU_ENABLE_TENTATIVE_ERA=true (This was added in ICU 63). Support added for Gannen year numbering (using 元 for the first year of an era) in the Japanese locale Japanese-calendar full, long, and medium formats. Gannen year support is also automatically added for other non-numeric formats (those containing other kanji characters such as 年) derived from pattern skeletons unless specifically overridden. (ICU #20441, CLDR #11843, CLDR #11819) We are planning for an ICU 64.2 update in 2019-April which will add the new Japanese era with its real name. ICU 64 now uses "rearguard" TZ data. (Recent versions have used "vanguard" data with certain overrides.) (ICU-20398) ICU data filtering: The ICU4C build accepts an optional filter script that specifies a subset of the data to be built, with whitelists and blacklists for locales and for resource bundle paths. (ICU-10923, design doc) See this new documentation page: userguide/icu_data/buildtool.md MessageFormat has new pattern syntax for specifying the style of a date/time argument via a locale-independent skeleton rather than a locale-specific pattern. (ICU-9622) Date/time skeletons use the same "::" prefix as number skeletons. Example MessageFormat pattern string: "We close on {closing,date,::MMMMd} at {closing,time,::jm}." Many formatting APIs can now output a new type of result object which is-a FormattedValue (Java & C++), or convertible to a UFormattedValue (C). These combine the result strings with easy iteration over FieldPosition metadata. ICU4C Specific Changes New C++ class LocaleBuilder for building a Locale from subtags, keywords, and extensions. (ICU-20328) Parallel to the existing ICU4J ULocale.Builder class. For C++ MeasureUnit instances, there are now additional factory methods that return units by value, not by pointer-with-ownership. (ICU-20337) Various Out-Of-Memory (OOM) issues have been fixed. (ticket query) @ text @$NetBSD: patch-CVE-2018-18928,v 1.1 2019/02/13 20:51:57 spz Exp $ fix for CVE-2018-18928 from https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51 --- i18n/fmtable.cpp.orig 2018-09-29 00:34:42.000000000 +0000 +++ i18n/fmtable.cpp @@@@ -734,7 +734,7 @@@@ CharString *Formattable::internalGetChar // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?). if (fDecimalQuantity->isZero()) { fDecimalStr->append("0", -1, status); - } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) { + } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) { fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status); } else { fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status); --- i18n/number_decimalquantity.cpp.orig 2018-10-01 22:39:56.000000000 +0000 +++ i18n/number_decimalquantity.cpp @@@@ -820,7 +820,10 @@@@ UnicodeString DecimalQuantity::toScienti } result.append(u'E'); int32_t _scale = upperPos + scale; - if (_scale < 0) { + if (_scale == INT32_MIN) { + result.append({u"-2147483648", -1}); + return result; + } else if (_scale < 0) { _scale *= -1; result.append(u'-'); } else { --- test/intltest/numfmtst.cpp.orig 2018-10-01 22:39:56.000000000 +0000 +++ test/intltest/numfmtst.cpp @@@@ -9226,6 +9226,14 @@@@ void NumberFormatTest::Test20037_Scienti assertEquals(u"Should not overflow and should parse only the first exponent", u"1E-2147483647", {sp.data(), sp.length(), US_INV}); + + // Test edge case overflow of exponent + result = Formattable(); + nf->parse(u".0003e-2147483644", result, status); + sp = result.getDecimalNumber(status); + assertEquals(u"Should not overflow", + u"3E-2147483648", + {sp.data(), sp.length(), US_INV}); } void NumberFormatTest::Test13840_ParseLongStringCrash() { @ 1.1 log @add patch for CVE-2018-18928 from upstream @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2018-18928 was added on branch pkgsrc-2018Q4 on 2019-02-16 11:43:16 +0000 @ text @d1 49 @ 1.1.2.2 log @Pullup ticket #5909 - requested by spz textproc/icu: security fix Revisions pulled up: - textproc/icu/Makefile 1.121 - textproc/icu/distinfo 1.81 - textproc/icu/patches/patch-CVE-2018-18928 1.1 --- Module Name: pkgsrc Committed By: spz Date: Wed Feb 13 20:51:57 UTC 2019 Modified Files: pkgsrc/textproc/icu: Makefile distinfo Added Files: pkgsrc/textproc/icu/patches: patch-CVE-2018-18928 Log Message: add patch for CVE-2018-18928 from upstream @ text @a0 49 $NetBSD: patch-CVE-2018-18928,v 1.1 2019/02/13 20:51:57 spz Exp $ fix for CVE-2018-18928 from https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51 --- i18n/fmtable.cpp.orig 2018-09-29 00:34:42.000000000 +0000 +++ i18n/fmtable.cpp @@@@ -734,7 +734,7 @@@@ CharString *Formattable::internalGetChar // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?). if (fDecimalQuantity->isZero()) { fDecimalStr->append("0", -1, status); - } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) { + } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) { fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status); } else { fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status); --- i18n/number_decimalquantity.cpp.orig 2018-10-01 22:39:56.000000000 +0000 +++ i18n/number_decimalquantity.cpp @@@@ -820,7 +820,10 @@@@ UnicodeString DecimalQuantity::toScienti } result.append(u'E'); int32_t _scale = upperPos + scale; - if (_scale < 0) { + if (_scale == INT32_MIN) { + result.append({u"-2147483648", -1}); + return result; + } else if (_scale < 0) { _scale *= -1; result.append(u'-'); } else { --- test/intltest/numfmtst.cpp.orig 2018-10-01 22:39:56.000000000 +0000 +++ test/intltest/numfmtst.cpp @@@@ -9226,6 +9226,14 @@@@ void NumberFormatTest::Test20037_Scienti assertEquals(u"Should not overflow and should parse only the first exponent", u"1E-2147483647", {sp.data(), sp.length(), US_INV}); + + // Test edge case overflow of exponent + result = Formattable(); + nf->parse(u".0003e-2147483644", result, status); + sp = result.getDecimalNumber(status); + assertEquals(u"Should not overflow", + u"3E-2147483648", + {sp.data(), sp.length(), US_INV}); } void NumberFormatTest::Test13840_ParseLongStringCrash() { @