patches/21.overflow_check.patch - hunspell - Git at Google

 Change 537406616 by sungyc@sungyc:fig-export-icing-153-change-349:5478:citc on 2023/06/02 14:14:02

 	[hunspell] Safe integer check for tablesize to prevent overflow

 	## Test plan
 	```
 	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=4972064410566656' > /tmp/testcase-4972064410566656 && \
 	blaze --blazerc=/dev/null test -c opt --config=asan-fuzzer --test_strategy=local --test_sharding_strategy=disabled \
 	  --test_env=ENABLE_BLAZE_TEST_FUZZING=1  --test_arg=-runs=100 --test_arg=/tmp/testcase-4972064410566656 \
 	  //third_party/hunspell/fuzzers:dict_fuzzer
 	```

 	## Description
 	- The input table size is `2147483647`.
 	- We add `5 + USERWORD` to it, which causes integer overflow.

 	Change `tablesize` check in L390 to prevent overflow.

 	PRESUBMIT=passed
 	BUG=280277605
 	R=mghiware
 	APPROVED=mghiware
 	REQUIRED_REVIEW=1
 	DELTA=15 (7 added, 4 deleted, 4 changed)
 	DELTA_BY_EXTENSION=cxx=11
 	OCL=537399369
 	FIG_CHANGESET=4fe6f3569fee5591c986f4905e54c74a8cea8192
 	FIG_WORKSPACE=sungyc/153:icing
 	MARKDOWN=true

 Affected files ...

 ... //depot//src/hunspell/hashmgr.cxx#7 edit

 ==== //depot//src/hunspell/hashmgr.cxx#6 - /google/src/files/537406616/depot//src/hunspell/hashmgr.cxx ====
 --- /google/src/files/524965870/depot//src/hunspell/hashmgr.cxx	2023-04-17 18:28:39.000000000 -0400
 +++ /google/src/files/537406616/depot//src/hunspell/hashmgr.cxx	2023-06-02 17:14:02.000000000 -0400
 @@ -1,14 +1,16 @@
 -#include "license.hunspell"
 -#include "license.myspell"
 +#include "hashmgr.hxx"

 -#include <stdlib.h>
 -#include <string.h>
 -#include <stdio.h>
  #include <ctype.h>
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <string.h>
 +
 +#include <limits>

 -#include "hashmgr.hxx"
 -#include "csutil.hxx"
  #include "atypes.hxx"
 +#include "csutil.hxx"
 +#include "license.hunspell"
 +#include "license.myspell"

  // build a hash table from a munched word list

 @@ -385,7 +387,8 @@
    }

    tablesize = atoi(ts);
 -  if (tablesize == 0) {
 +  if (tablesize <= 0 ||
 +      tablesize > std::numeric_limits<int>::max() - 5 - USERWORD) {
      HUNSPELL_WARNING(stderr, "error: line 1: missing or bad word count in the dic file\n");
      delete dict;
      return 4;
	Change 537406616 by sungyc@sungyc:fig-export-icing-153-change-349:5478:citc on 2023/06/02 14:14:02

	[hunspell] Safe integer check for tablesize to prevent overflow

	## Test plan
	```
	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=4972064410566656' > /tmp/testcase-4972064410566656 && \
	blaze --blazerc=/dev/null test -c opt --config=asan-fuzzer --test_strategy=local --test_sharding_strategy=disabled \
	--test_env=ENABLE_BLAZE_TEST_FUZZING=1 --test_arg=-runs=100 --test_arg=/tmp/testcase-4972064410566656 \
	//third_party/hunspell/fuzzers:dict_fuzzer
	```

	## Description
	- The input table size is `2147483647`.
	- We add `5 + USERWORD` to it, which causes integer overflow.

	Change `tablesize` check in L390 to prevent overflow.

	PRESUBMIT=passed
	BUG=280277605
	R=mghiware
	APPROVED=mghiware
	REQUIRED_REVIEW=1
	DELTA=15 (7 added, 4 deleted, 4 changed)
	DELTA_BY_EXTENSION=cxx=11
	OCL=537399369
	FIG_CHANGESET=4fe6f3569fee5591c986f4905e54c74a8cea8192
	FIG_WORKSPACE=sungyc/153:icing
	MARKDOWN=true

	Affected files ...

	... //depot//src/hunspell/hashmgr.cxx#7 edit

	==== //depot//src/hunspell/hashmgr.cxx#6 - /google/src/files/537406616/depot//src/hunspell/hashmgr.cxx ====
	--- /google/src/files/524965870/depot//src/hunspell/hashmgr.cxx 2023-04-17 18:28:39.000000000 -0400
	+++ /google/src/files/537406616/depot//src/hunspell/hashmgr.cxx 2023-06-02 17:14:02.000000000 -0400
	@@ -1,14 +1,16 @@
	-#include "license.hunspell"
	-#include "license.myspell"
	+#include "hashmgr.hxx"

	-#include <stdlib.h>
	-#include <string.h>
	-#include <stdio.h>
	#include <ctype.h>
	+#include <stdio.h>
	+#include <stdlib.h>
	+#include <string.h>
	+
	+#include <limits>

	-#include "hashmgr.hxx"
	-#include "csutil.hxx"
	#include "atypes.hxx"
	+#include "csutil.hxx"
	+#include "license.hunspell"
	+#include "license.myspell"

	// build a hash table from a munched word list

	@@ -385,7 +387,8 @@
	}

	tablesize = atoi(ts);
	- if (tablesize == 0) {
	+ if (tablesize <= 0 \|\|
	+ tablesize > std::numeric_limits<int>::max() - 5 - USERWORD) {
	HUNSPELL_WARNING(stderr, "error: line 1: missing or bad word count in the dic file\n");
	delete dict;
	return 4;