ICU-23252 Fix int overflow in messagepattern.cpp

See #3762

Author: FrankYFTang

icu4c/source/common/messagepattern.cpp

@@ -914,8 +914,9 @@ MessagePattern::parseArgNumber(const UnicodeString &s, int32_t start, int32_t li
         if(0x30<=c && c<=0x39) {
             if(number>=INT32_MAX/10) {
                 badNumber=true;  // overflow
+            } else {
+                number=number*10+(c-0x30);
             }
-            number=number*10+(c-0x30);
         } else {
             return UMSGPAT_ARG_NAME_NOT_NUMBER;
         }

icu4c/source/test/intltest/tmsgfmt.cpp

@@ -75,6 +75,7 @@ TestMessageFormat::runIndexedTest(int32_t index, UBool exec,
     TESTCASE_AUTO(TestMessageFormatNumberSkeleton);
     TESTCASE_AUTO(TestMessageFormatDateSkeleton);
     TESTCASE_AUTO(TestMessageFormatTimeSkeleton);
+    TESTCASE_AUTO(TestNumberOverflow);
     TESTCASE_AUTO_END;
 }
 
@@ -2075,4 +2076,9 @@ void TestMessageFormat::TestMessageFormatTimeSkeleton() {
     doTheRealDateTimeSkeletonTesting(date, u"{0,time,'::'yMMMMd}", "en", u"::2021November23", status);
 }
 
+void TestMessageFormat::TestNumberOverflow() {
+    IcuTestErrorCode status(*this, "TestNumberOverflow");
+    MessageFormat msgf(u"{90000000000}", status);
+    status.expectErrorAndReset(U_PATTERN_SYNTAX_ERROR);
+}
 #endif /* #if !UCONFIG_NO_FORMATTING */

icu4c/source/test/intltest/tmsgfmt.h

@@ -124,6 +124,7 @@ class TestMessageFormat: public IntlTest {
     void TestMessageFormatNumberSkeleton();
     void TestMessageFormatDateSkeleton();
     void TestMessageFormatTimeSkeleton();
+    void TestNumberOverflow();
 
 private:
     UnicodeString GetPatternAndSkipSyntax(const MessagePattern& pattern);

icu4j/main/core/src/main/java/com/ibm/icu/text/MessagePattern.java

@@ -1382,13 +1382,14 @@ private static int parseArgNumber(CharSequence s, int start, int limit) {
         } else {
             return ARG_NAME_NOT_NUMBER;
         }
-        while (start < limit) {
+        while(start<limit) {
             c = s.charAt(start++);
-            if ('0' <= c && c <= '9') {
-                if (number >= Integer.MAX_VALUE / 10) {
-                    badNumber = true; // overflow
+            if('0'<=c && c <= '9') {
+                if(number >= Integer.MAX_VALUE / 10) {
+                    badNumber = true;  // overflow
+                } else {
+                    number = number * 10 + (c - '0');
                 }
-                number = number * 10 + (c - '0');
             } else {
                 return ARG_NAME_NOT_NUMBER;
             }

icu4j/main/core/src/test/java/com/ibm/icu/dev/test/format/MessageRegressionTest.java

@@ -948,4 +948,13 @@ public void TestSerialization() {
                 "ab3.3cd4,4ef***gh50\u00A0%ij",
                 format2.format(new Object[] {4.4, 3.3, "+++", "***", 50}));
     }
+    @Test
+    public void TestNumberOverflow() {
+        try {
+            MessageFormat format = new MessageFormat("{90000000000}");
+            errln("MessageFormat overflow should throw IllegalArgumentException");
+        } catch (IllegalArgumentException e) {
+            // expeted
+        }
+    }
 }