@jshin-- Is there an existing Chromium bug that describes the issue, or can you provide the information necessary for security triage? 

If the status is Started, are you the Owner for this issue?

Assigning security severity and impact based on the expectation that this is a memory overwrite in the render process.

jshin@, if you're not the right person to fix this, can you please help find an owner?

Sorry for the delay. 

https://chromium-review.googlesource.com/c/chromium/deps/icu/+/809729 is a CL. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/deps/icu.git/+/4e320f95dc700bf662966c741f24da412fa10df1

commit 4e320f95dc700bf662966c741f24da412fa10df1
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue Dec 12 23:19:06 2017

Cherry-pick an upstream fix for Calendar class

TBR=elwarence@chromium.org
Bug:  792537 
Change-Id: Idfc4fa258d0f9ffb6fd236183275ec4580a00f73
Reviewed-on: https://chromium-review.googlesource.com/809729
Reviewed-by: Jungshik Shin <jshin@chromium.org>

[modify] https://crrev.com/4e320f95dc700bf662966c741f24da412fa10df1/README.chromium
[add] https://crrev.com/4e320f95dc700bf662966c741f24da412fa10df1/patches/calendar.patch
[modify] https://crrev.com/4e320f95dc700bf662966c741f24da412fa10df1/source/i18n/calendar.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/27be5b2f24250e2b35d2c0746a685c2ff4ab784f

commit 27be5b2f24250e2b35d2c0746a685c2ff4ab784f
Author: Jungshik Shin <jshin@chromium.org>
Date: Thu Dec 14 21:38:31 2017

Roll ICU to  94d819f

Add a test for German time format (12hr with AM/PM marker).

It has 3 changes:

 https://chromium.googlesource.com/chromium/deps/icu.git/+log/e3b480d..94d819f

 2017-12-13 jshin@chromium.org Update German AM/PM marker to the previous value
 2017-12-13 jshin@chromium.org Cherry-pick an upstream fix for UTF8 to UTF8 conversion
 2017-12-12 jshin@chromium.org Cherry-pick an upstream fix for Calendar class

Bug:  794737 , 794390 , 792537 
Test: base_unittests --gtest_filter=TimeFormat*.*TimeOfDayDE
Test:  crbug.com/794737#c2 
Change-Id: Ifa6d31624cbd9d4edc1b776e34527d8e842f7290
Reviewed-on: https://chromium-review.googlesource.com/826363
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#524189}
[modify] https://crrev.com/27be5b2f24250e2b35d2c0746a685c2ff4ab784f/DEPS
[modify] https://crrev.com/27be5b2f24250e2b35d2c0746a685c2ff4ab784f/base/i18n/time_formatting_unittest.cc

This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approving merge to M64. Branch:3282

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/e3f547afefe52835be482b32421c016dc90ddc4f

commit e3f547afefe52835be482b32421c016dc90ddc4f
Author: Jungshik Shin <jungshik@google.com>
Date: Tue Jan 02 18:38:21 2018

In   bug 794737  , I got a merge approval and ICU was rolled for M64 branch to include a change recorded in comment 4.

re comment 1:

I thought I had replied, but perhaps not submitted my comment. 

Below is a copy of the ICU bug (https://ssl.icu-project.org/trac/ticket/13457 ).

-------------cut----------here------------------
ICU4C's Calendar class has a buffer overrun bug with its validLocale and actualLocale fields. The problem was found while running the Clang address sanitizer tool on a No Data ICU test.

The fields in question are fixed size buffers, declared here: calendar.h:2332

 private:
    char validLocale[ULOC_FULLNAME_CAPACITY];
    char actualLocale[ULOC_FULLNAME_CAPACITY];
The Calendar assignment operator, and, indirectly, the copy constructor, copy the fields with no buffer length check. calendar.cpp:825

Calendar &
Calendar::operator=(const Calendar &right)
{
   ...
        uprv_strcpy(validLocale, right.validLocale);
        uprv_strcpy(actualLocale, right.actualLocale);
The constructors do not initialize the locale fields. The factories normally do, but there is evidently some path through with error conditions that leaves them uninitialized.

The obvious fixes are to initialize the fields in the constructors, and to use strncpy instead of strcpy to avoid problems if we do end up with an unterminated string. (A real possibility, given the state of the locale id code).


--------------cut---------here-------------------------

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot