what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ICU Heap / Integer Overflows

ICU Heap / Integer Overflows
Posted May 5, 2015
Authored by Pedro Ribeiro

The ICU library suffers from heap and integer overflows. Confirmed vulnerable are versions 52 through 54.

tags | advisory, overflow
advisories | CVE-2014-8146, CVE-2014-8147
SHA-256 | 7838891b3655e544c63b5e770a89434ff480af212dde30baf5d45c12b9933665

ICU Heap / Integer Overflows

Change Mirror Download
tl;dr heap and integer overflows in ICU, many packages affected,
unknown if these can be exploited or not - everyone names vulns
nowadays, so I name these I-C-U-FAIL.


I have found two vulnerabilities in the ICU library while fuzzing
LibreOffice, full details in the advisory below.
Disclosure of these was done initially to LibreOffice and then to
distro-security. I then reported it to Chromium, Android and finally
CERT, so I ended up breaking the rules of distro-security which
requires that any vulnerability reported to the list is made public in
14 days. I apologise for this to oss-security, distro-security and
Solar Designer, and will not do it again.

A full copy of the advisory below can be found in my repo at


>> Heap overflow and integer overflow in ICU library
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
Disclosure: 04/05/2015 / Last updated: 04/05/2015

>> Background on the affected products:
ICU is a mature, widely used set of C/C++ and Java libraries providing
Unicode and Globalization support for software applications. ICU is
widely portable and gives applications the same results on all
platforms and between C/C++ and Java software.

>> Summary:
While fuzzing LibreOffice an integer overflow and a heap overflow
where found in the ICU library. This library is used by LibreOffice
and hundreds of other software packages.
Proof of concept files can be downloaded from [1]. These files have
been tested with LibreOffice and LibreOffice 4.4.0-beta2 and
ICU 52.
Note that at this point in time it is unknown whether these
vulnerabilities are exploitable.
Thanks to CERT [2] for helping disclose these vulnerabilities.

>> Technical details:
Vulnerability: Heap overflow

The code to blame is the following (from ubidi.c:2148 in ICU 52):
if((dirProp==LRI || dirProp==RLI) && limit<pBiDi->length) {
processPropertySeq(pBiDi, &levState, eor, limit, limit);

Under certain conditions, isolateCount is incremented too many times,
which results in several out of bounds writes. See [1] for a more
detailed analysis.

Vulnerability: Integer overflow

The overflow is on the resolveImplicitLevels function (ubidi.c:2248):

pBiDi->isolates[].state is a int16, while levState.state is a int32.
The overflow causes an error when performing a malloc on
pBiDi->insertPoints->points because insertPoints is adjacent in memory
to isolates[].

The Isolate struct is defined in ubidiimp.h:184
typedef struct Isolate {
int32_t startON;
int32_t start1;
int16_t stateImp;
int16_t state;
} Isolate;

LevState is defined in ubidi.c:1748
typedef struct {
const ImpTab * pImpTab; /* level table pointer */
const ImpAct * pImpAct; /* action map array */
int32_t startON; /* start of ON sequence */
int32_t startL2EN; /* start of level 2 sequence */
int32_t lastStrongRTL; /* index of last found R or AL */
int32_t state; /* current state */
int32_t runStart; /* start position of the run */
UBiDiLevel runLevel; /* run level before implicit solving */
} LevState;

>> Fix:
The ICU versions that are confirmed to be affected are 52 to 54, but
earlier versions might also be affected. Upgrade to ICU 55.1 to fix
these vulnerabilities.
Note that there are probably many other software packages that embed
the ICU code and will probably also need to be updated.

>> References:
[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
[2] https://www.kb.cert.org/vuls/id/602540
Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By