ICU-22475 Fix double free in Locale under OOM

See #2567
2025-04-10 07:39:16 +00:00 · 2023-08-29 22:49:52 +00:00 · 2023-08-29 22:49:52 +00:00 · 35bae683a5
commit 35bae683a5
parent 02d5e71903
2 changed files with 7 additions and 2 deletions
--- a/icu4c/source/common/uloc_tag.cpp
+++ b/icu4c/source/common/uloc_tag.cpp
@ -2092,12 +2092,13 @@ ultag_parse(const char* tag, int32_t tagLen, int32_t* parsedLen, UErrorCode* sta
            int32_t oldTagLength = tagLen;
            if (tagLen < newTagLength) {
                uprv_free(tagBuf);
-                tagBuf = (char*)uprv_malloc(newTagLength + 1);
+                // Change t->buf after the free and before return to avoid the second double free in
+                // the destructor of t when t is out of scope.
+                t->buf = tagBuf = (char*)uprv_malloc(newTagLength + 1);
                if (tagBuf == nullptr) {
                    *status = U_MEMORY_ALLOCATION_ERROR;
                    return nullptr;
                }
-                t->buf = tagBuf;
                tagLen = newTagLength;
            }
            parsedLenDelta = checkLegacyLen - replacementLen;
--- a/icu4c/source/test/cintltst/cloctst.c
+++ b/icu4c/source/test/cintltst/cloctst.c
@ -2508,6 +2508,10 @@ static void TestCanonicalization21749StackUseAfterScope(void)
                input, u_errorName(status));
        return;
    }
+
+    // ICU-22475 test that we don't free an internal buffer twice.
+    status = U_ZERO_ERROR;
+    uloc_canonicalize("ti-defaultgR-lS-z-UK-0P", buffer, UPRV_LENGTHOF(buffer), &status);
 }

 static void TestDisplayKeywords(void)