| Change 205133714 by lbaudoin@lbaudoin:fuzzer-38f43:7919:citc on 2018/07/18 14:06:49 |
| |
| Fix yet another buffer overflow in hunspell. |
| |
| PRESUBMIT=passed |
| BUG=67454984 |
| FIXED=67454984 |
| R=sfen,shine |
| CC=gmail-security+reviews,jduart,weihaw |
| APPROVED=sfen,shine |
| REQUIRED_REVIEW=1 |
| DELTA_BY_EXTENSION=cxx=11 |
| OCL=204925722 |
| |
| Affected files ... |
| |
| ... //depot//src/hunspell/hunspell.cxx#7 edit |
| ... //depot//testdata/poc-38f43e7d002ec9c5711cea63753787e9c56533866247c1cf42d7e59eca991f8c#1 add |
| |
| ==== //depot//src/hunspell/hunspell.cxx#6 - /google/src/files/205133714/depot//src/hunspell/hunspell.cxx ==== |
| --- /google/src/files/160419349/depot//src/hunspell/hunspell.cxx 2017-06-28 12:50:38.000000000 -0400 |
| +++ /google/src/files/205133714/depot//src/hunspell/hunspell.cxx 2018-07-18 17:06:49.000000000 -0400 |
| @@ -913,13 +913,17 @@ |
| if (!spell(ppos)) { |
| nn = suggest(&nlst, ppos); |
| for (int j = nn - 1; j >= 0; j--) { |
| - strncpy(wspace, cw, ppos - cw); |
| - strcpy(wspace + (ppos - cw), nlst[j]); |
| - if (!last) { |
| - strcat(wspace, "-"); |
| - strcat(wspace, pos + 1); |
| - } |
| - ns = insert_sug(slst, wspace, ns); |
| + int suggestion_size = |
| + ppos - cw + strlen(nlst[j]) + (last ? 0 : strlen(pos + 1) + 1); |
| + if (suggestion_size < sizeof(wspace)) { |
| + strncpy(wspace, cw, ppos - cw); |
| + strcpy(wspace + (ppos - cw), nlst[j]); |
| + if (!last) { |
| + strcat(wspace, "-"); |
| + strcat(wspace, pos + 1); |
| + } |
| + ns = insert_sug(slst, wspace, ns); |
| + } |
| free(nlst[j]); |
| } |
| if (nlst != NULL) free(nlst); |
