patches/14.buffer_overflow.patch - hunspell - Git at Google

 Change 205077565 by lbaudoin@lbaudoin:hunspell3:7918:citc on 2018/07/18 07:48:28

 	Fix a buffer overflow in hunspell.

 	PRESUBMIT=passed
 	BUG=62755495
 	FIXED=62755495
 	R=shine
 	CC=gmail-security+reviews,jduart,weihaw
 	APPROVED=shine
 	REQUIRED_REVIEW=1
 	DELTA_BY_EXTENSION=cxx=12
 	OCL=204916935

 Affected files ...

 ... //depot//src/hunspell/suggestmgr.cxx#5 edit
 ... //depot//testdata/poc-e70b6035dbc764fd241582c5f013edd783749a6ef4e8f653501e2a687c118cb0-180711063041634658#1 add

 ==== //depot//src/hunspell/suggestmgr.cxx#4 - /google/src/files/205077565/depot//src/hunspell/suggestmgr.cxx ====
 --- /google/src/files/151456944/depot//src/hunspell/suggestmgr.cxx	2017-03-28 12:13:02.000000000 -0400
 +++ /google/src/files/205077565/depot//src/hunspell/suggestmgr.cxx	2018-07-18 10:48:28.000000000 -0400
 @@ -712,16 +712,21 @@
     w_char * p;
     clock_t timelimit = clock();
     int timer = MINTIMER;
 +   if (wl > MAXSWL || wl < 0) {
 +     return -1;
 +   }
     // try inserting a tryme character at the end of the word and before every letter
     for (int i = 0;  i < ctryl;  i++) {
        memcpy (candidate_utf, word, wl * sizeof(w_char));
 -      for (p = candidate_utf + wl;  p >= candidate_utf; p--)  {
 -         *(p + 1) = *p;
 -         *p = ctry_utf[i];
 -         u16_u8(candidate, MAXSWUTF8L, candidate_utf, wl + 1);
 -         ns = testsug(wlst, candidate, strlen(candidate), ns, cpdsuggest, &timer, &timelimit);
 -         if (ns == -1) return -1;
 -         if (!timer) return ns;
 +      for (p = candidate_utf + wl;
 +           p >= candidate_utf && p < candidate_utf + MAXSWL - 1; p--) {
 +        *(p + 1) = *p;
 +        *p = ctry_utf[i];
 +        u16_u8(candidate, MAXSWUTF8L, candidate_utf, wl + 1);
 +        ns = testsug(wlst, candidate, strlen(candidate), ns, cpdsuggest, &timer,
 +                     &timelimit);
 +        if (ns == -1) return -1;
 +        if (!timer) return ns;
        }
     }
     return ns;
 ==== //depot//testdata/poc-e70b6035dbc764fd241582c5f013edd783749a6ef4e8f653501e2a687c118cb0-180711063041634658 - /google/src/files/205077565/depot//testdata/poc-e70b6035dbc764fd241582c5f013edd783749a6ef4e8f653501e2a687c118cb0-180711063041634658 ==== (binary)
 (... files differ ...)
	Change 205077565 by lbaudoin@lbaudoin:hunspell3:7918:citc on 2018/07/18 07:48:28

	Fix a buffer overflow in hunspell.

	PRESUBMIT=passed
	BUG=62755495
	FIXED=62755495
	R=shine
	CC=gmail-security+reviews,jduart,weihaw
	APPROVED=shine
	REQUIRED_REVIEW=1
	DELTA_BY_EXTENSION=cxx=12
	OCL=204916935

	Affected files ...

	... //depot//src/hunspell/suggestmgr.cxx#5 edit
	... //depot//testdata/poc-e70b6035dbc764fd241582c5f013edd783749a6ef4e8f653501e2a687c118cb0-180711063041634658#1 add

	==== //depot//src/hunspell/suggestmgr.cxx#4 - /google/src/files/205077565/depot//src/hunspell/suggestmgr.cxx ====
	--- /google/src/files/151456944/depot//src/hunspell/suggestmgr.cxx 2017-03-28 12:13:02.000000000 -0400
	+++ /google/src/files/205077565/depot//src/hunspell/suggestmgr.cxx 2018-07-18 10:48:28.000000000 -0400
	@@ -712,16 +712,21 @@
	w_char * p;
	clock_t timelimit = clock();
	int timer = MINTIMER;
	+ if (wl > MAXSWL \|\| wl < 0) {
	+ return -1;
	+ }
	// try inserting a tryme character at the end of the word and before every letter
	for (int i = 0; i < ctryl; i++) {
	memcpy (candidate_utf, word, wl * sizeof(w_char));
	- for (p = candidate_utf + wl; p >= candidate_utf; p--) {
	- (p + 1) = p;
	- *p = ctry_utf[i];
	- u16_u8(candidate, MAXSWUTF8L, candidate_utf, wl + 1);
	- ns = testsug(wlst, candidate, strlen(candidate), ns, cpdsuggest, &timer, &timelimit);
	- if (ns == -1) return -1;
	- if (!timer) return ns;
	+ for (p = candidate_utf + wl;
	+ p >= candidate_utf && p < candidate_utf + MAXSWL - 1; p--) {
	+ (p + 1) = p;
	+ *p = ctry_utf[i];
	+ u16_u8(candidate, MAXSWUTF8L, candidate_utf, wl + 1);
	+ ns = testsug(wlst, candidate, strlen(candidate), ns, cpdsuggest, &timer,
	+ &timelimit);
	+ if (ns == -1) return -1;
	+ if (!timer) return ns;
	}
	}
	return ns;
	==== //depot//testdata/poc-e70b6035dbc764fd241582c5f013edd783749a6ef4e8f653501e2a687c118cb0-180711063041634658 - /google/src/files/205077565/depot//testdata/poc-e70b6035dbc764fd241582c5f013edd783749a6ef4e8f653501e2a687c118cb0-180711063041634658 ==== (binary)
	(... files differ ...)