Skip to content

ICU-23418 Fix null pointer dereferences in SearchIterator constructors on allocation failure#4011

Open
UnLucky252 wants to merge 1 commit into
unicode-org:mainfrom
UnLucky252:fix-ICU-23418-search
Open

ICU-23418 Fix null pointer dereferences in SearchIterator constructors on allocation failure#4011
UnLucky252 wants to merge 1 commit into
unicode-org:mainfrom
UnLucky252:fix-ICU-23418-search

Conversation

@UnLucky252
Copy link
Copy Markdown

@UnLucky252 UnLucky252 commented May 29, 2026

Linked Jira issue

ICU-23418

Summary

All four SearchIterator constructors (icu4c/source/i18n/search.cpp)
used the result of uprv_malloc(sizeof(USearch)) to initialize the
USearch fields without a NULL check.

Cause

On OOM uprv_malloc returns NULL; every field write is then undefined
behavior.

Fix

These are protected base-class constructors with no UErrorCode
(subclasses such as StringSearch already propagate
U_MEMORY_ALLOCATION_ERROR, and the destructor already guards for
nullptr). Guard the field initialization in each constructor with
if (m_search_ != nullptr). In the CharacterIterator constructor,
text.getText(m_text_) is moved before the guard so it always runs.

Testing

Existing tests pass (no behavior change on the success path). No new
test added — the OOM path requires allocator injection that is not
part of the standard test harness.

Notes

Found by static analysis (Svace, ISP RAS).

Checklist

  • Required: Issue filed: ICU-23418
  • Required: The PR title must be prefixed with a JIRA Issue number. Example: "ICU-NNNNN Fix xyz"
  • Required: Each commit message must be prefixed with a JIRA Issue number. Example: "ICU-NNNNN Fix xyz"
  • Issue accepted (done by Technical Committee after discussion)
  • Tests included, if applicable
  • API docs and/or User Guide docs changed or added, if applicable
  • Approver: Feel free to merge on my behalf

@UnLucky252
ICU-23418 Fix null pointer dereferences in SearchIterator constructor…
369164c 
…s on allocation failure

All four SearchIterator constructors used the result of
uprv_malloc(sizeof(USearch)) to initialize the USearch fields without
a NULL check, which is undefined behavior on OOM.

These are protected base-class constructors with no UErrorCode;
subclasses such as StringSearch already propagate
U_MEMORY_ALLOCATION_ERROR. The destructor already guards for nullptr.

Guard the field initialization in each constructor with
if (m_search_ != nullptr). In the CharacterIterator constructor,
text.getText(m_text_) is moved before the guard so it always runs.

Found by static analysis (Svace, ISP RAS).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@UnLucky252