From 4493d0acd68f0d3f1b0f1b6c79e3934bfa3207ed Mon Sep 17 00:00:00 2001
From: Adam Dickmeiss <adam@indexdata.dk>
Date: Thu, 9 Jun 2011 15:25:17 +0200
Subject: [PATCH] Work around a bug in ucol_getSortKey

The problem seen is that ucol_getSortkey writes one byte at the
capacity position. This in turn, results in malloc heap corruption.
---
 src/icu_sortkey.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/icu_sortkey.c b/src/icu_sortkey.c
index 8fed394..c9fc380 100644
--- a/src/icu_sortkey.c
+++ b/src/icu_sortkey.c
@@ -32,12 +32,15 @@ void icu_sortkey8_from_utf16(UCollator *coll,
                              UErrorCode * status)
 { 
     int32_t sortkey_len = 0;
-
+    /* we'll fake a capacity of one less, because it turns out
+       that ucol_getSortKey writes ONE character too much */
+    int32_t cap = dest8->utf8_cap ? dest8->utf8_cap - 1 : 0;
+    
     sortkey_len = ucol_getSortKey(coll, src16->utf16, src16->utf16_len,
-                                  dest8->utf8, dest8->utf8_cap);
+                                  dest8->utf8, cap);
 
     /* check for buffer overflow, resize and retry */
-    if (sortkey_len > dest8->utf8_cap)
+    if (sortkey_len > cap)
     {
         icu_buf_utf8_resize(dest8, sortkey_len * 2);
         sortkey_len = ucol_getSortKey(coll, src16->utf16, src16->utf16_len,
-- 
1.7.10.4