| Change 638422913 by sungyc@sungyc:fig-export-hunspell-7504-change-1:7506:citc on 2024/05/29 14:58:51 |
| |
| [hunspell][vulnerability fix] Fix index out of bound error |
| |
| ## Test plan |
| ``` |
| sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=6366934184034304' > /tmp/testcase-6366934184034304 && \ |
| blaze --blazerc=/dev/null test -c opt --config=fuzztest --copt=-DNDEBUG \ |
| --test_strategy=local \ |
| --test_sharding_strategy=disabled \ |
| --test_env=FUZZTEST_REPLAY=/tmp/testcase-6366934184034304 \ |
| --test_filter=LLVMFuzzer.TestOneInput \ |
| //third_party/hunspell/fuzzers:suggestions_fuzzer |
| ``` |
| |
| ## Description |
| The error is caused by `unicw + wl2 + 1` when `wl2` is -1. In fact, this won't cause index error because it is +1 again, but the detector throws the error before +1. |
| |
| Therefore, we add parentheses to make `(wl2+1)` evaluated first. |
| |
| PRESUBMIT=passed |
| BUG=331844463 |
| R=tjbarron |
| APPROVED=tjbarron |
| REQUIRED_REVIEW=1 |
| DELTA=1 (0 added, 0 deleted, 1 changed) |
| DELTA_BY_EXTENSION=cxx=1 |
| OCL=638394343 |
| FIG_CHANGESET=99e275a304d53a94f8ec1902d4c753ca0ab282ee |
| FIG_WORKSPACE=sungyc/7504:hunspell |
| MARKDOWN=true |
| |
| Affected files ... |
| |
| ... //depot//src/hunspell/hunspell.cxx#10 edit |
| |
| ==== //depot//src/hunspell/hunspell.cxx#9 - /google/src/files/638422913/depot//src/hunspell/hunspell.cxx ==== |
| --- /google/src/files/560733739/depot//src/hunspell/hunspell.cxx 2023-08-28 12:31:02.000000000 -0400 |
| +++ /google/src/files/638422913/depot//src/hunspell/hunspell.cxx 2024-05-29 17:58:51.000000000 -0400 |
| @@ -410,7 +410,7 @@ |
| wl2 = u8_u16(tmpword, MAXWORDLEN, cw); |
| *apostrophe = '\''; |
| if (wl2 < nc) { |
| - mkinitcap2(apostrophe + 1, unicw + wl2 + 1, nc - wl2 - 1); |
| + mkinitcap2(apostrophe + 1, unicw + (wl2 + 1), nc - wl2 - 1); |
| rv = checkword(cw, info, root); |
| if (rv) break; |
| } |
