patches/34.commoncharacterpositions.patch - hunspell - Git at Google

 Change 583481110 by sungyc@sungyc:fig-export-icing-153-change-460:7042:citc on 2023/11/17 14:01:57

 	[hunspell][vulnerability fix] Fix uninitialize error in SuggestMgr::commoncharacterpositions

 	## Test plan
 	```
 	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=6294633356263424' > /tmp/testcase-6294633356263424 && \
 	blaze --blazerc=/dev/null test --config=msan-fuzzer --test_strategy=local --test_sharding_strategy=disabled \
 	  --test_env=ENABLE_BLAZE_TEST_FUZZING=1  --test_arg=-runs=100 --test_arg=/tmp/testcase-6294633356263424 \
 	  //third_party/hunspell/fuzzers:suggestions_fuzzer
 	```

 	## Description
 	- Some uninitialized elements in `su2` will be used in `mkallsmall_utf` because we never check the return value of `l2`.
 	- If `l2 <= 0`, then we shouldn't proceed `mkallsmall_utf` with `su2`.
 	- Also double check the [latest hunspell SuggestMgr](https://github.com/hunspell/hunspell/blob/master/src/hunspell/suggestmgr.cxx#L2166-L2167). They also check `l1`, so let's do both.

 	PRESUBMIT=passed
 	BUG=309591156
 	R=adorokhine,mghiware
 	APPROVED=adorokhine,mghiware
 	REQUIRED_REVIEW=1
 	DELTA=5 (5 added, 0 deleted, 0 changed)
 	DELTA_BY_EXTENSION=cxx=5
 	OCL=583189793
 	FIG_CHANGESET=cbaaf79fbccd41c4cc9986332b3446a7d8896b41
 	FIG_WORKSPACE=sungyc/153:icing
 	MARKDOWN=true

 Affected files ...

 ... //depot//src/hunspell/suggestmgr.cxx#6 edit

 ==== //depot//src/hunspell/suggestmgr.cxx#5 - /google/src/files/583481110/depot//src/hunspell/suggestmgr.cxx ====
 --- /google/src/files/205077565/depot//src/hunspell/suggestmgr.cxx	2018-07-18 10:48:28.000000000 -0400
 +++ /google/src/files/583481110/depot//src/hunspell/suggestmgr.cxx	2023-11-17 17:01:57.000000000 -0500
 @@ -1868,6 +1868,11 @@
      w_char su2[MAXSWL];
      int l1 = u8_u16(su1, MAXSWL, s1);
      int l2 = u8_u16(su2, MAXSWL, s2);
 +
 +    if (l1 <= 0 || l2 <= 0) {
 +      return 0;
 +    }
 +
      // decapitalize dictionary word
      if (complexprefixes) {
        mkallsmall_utf(su2+l2-1, 1, langnum);
	Change 583481110 by sungyc@sungyc:fig-export-icing-153-change-460:7042:citc on 2023/11/17 14:01:57

	[hunspell][vulnerability fix] Fix uninitialize error in SuggestMgr::commoncharacterpositions

	## Test plan
	```
	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=6294633356263424' > /tmp/testcase-6294633356263424 && \
	blaze --blazerc=/dev/null test --config=msan-fuzzer --test_strategy=local --test_sharding_strategy=disabled \
	--test_env=ENABLE_BLAZE_TEST_FUZZING=1 --test_arg=-runs=100 --test_arg=/tmp/testcase-6294633356263424 \
	//third_party/hunspell/fuzzers:suggestions_fuzzer
	```

	## Description
	- Some uninitialized elements in `su2` will be used in `mkallsmall_utf` because we never check the return value of `l2`.
	- If `l2 <= 0`, then we shouldn't proceed `mkallsmall_utf` with `su2`.
	- Also double check the [latest hunspell SuggestMgr](https://github.com/hunspell/hunspell/blob/master/src/hunspell/suggestmgr.cxx#L2166-L2167). They also check `l1`, so let's do both.

	PRESUBMIT=passed
	BUG=309591156
	R=adorokhine,mghiware
	APPROVED=adorokhine,mghiware
	REQUIRED_REVIEW=1
	DELTA=5 (5 added, 0 deleted, 0 changed)
	DELTA_BY_EXTENSION=cxx=5
	OCL=583189793
	FIG_CHANGESET=cbaaf79fbccd41c4cc9986332b3446a7d8896b41
	FIG_WORKSPACE=sungyc/153:icing
	MARKDOWN=true

	Affected files ...

	... //depot//src/hunspell/suggestmgr.cxx#6 edit

	==== //depot//src/hunspell/suggestmgr.cxx#5 - /google/src/files/583481110/depot//src/hunspell/suggestmgr.cxx ====
	--- /google/src/files/205077565/depot//src/hunspell/suggestmgr.cxx 2018-07-18 10:48:28.000000000 -0400
	+++ /google/src/files/583481110/depot//src/hunspell/suggestmgr.cxx 2023-11-17 17:01:57.000000000 -0500
	@@ -1868,6 +1868,11 @@
	w_char su2[MAXSWL];
	int l1 = u8_u16(su1, MAXSWL, s1);
	int l2 = u8_u16(su2, MAXSWL, s2);
	+
	+ if (l1 <= 0 \|\| l2 <= 0) {
	+ return 0;
	+ }
	+
	// decapitalize dictionary word
	if (complexprefixes) {
	mkallsmall_utf(su2+l2-1, 1, langnum);