patches/22.index_check.patch - hunspell - Git at Google

 Change 537915601 by sungyc@sungyc:fig-export-icing-153-change-350:5488:citc on 2023/06/05 10:29:15

 	[hunspell] Safe integer check for phone->num to prevent overflow

 	## Test plan
 	```
 	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=5179437376995328' > /tmp/testcase-5179437376995328 && \
 	blaze --blazerc=/dev/null test -c opt --config=asan-fuzzer --test_strategy=local --test_sharding_strategy=disabled \
 	  --test_env=ENABLE_BLAZE_TEST_FUZZING=1  --test_arg=-runs=100 --test_arg=/tmp/testcase-5179437376995328 \
 	  //third_party/hunspell/fuzzers:dict_fuzzer
 	```

 	## Description
 	- We malloc memory with size = `2 * (phone->num + 1) * sizeof(char *)` for `phone->rules`.
 	- If `phone->num` is too large, then it will cause integer overflow.

 	Change `phone->num` check in L3769 to prevent overflow. Also free `phone` before returning error to prevent memory leak.

 	PRESUBMIT=passed
 	BUG=280278127
 	R=mghiware
 	APPROVED=mghiware
 	REQUIRED_REVIEW=1
 	DELTA=15 (7 added, 4 deleted, 4 changed)
 	DELTA_BY_EXTENSION=cxx=11
 	OCL=537406342
 	FIG_CHANGESET=b89f41211e07c7f574813ec124d9743a7c505e10
 	FIG_WORKSPACE=sungyc/153:icing
 	MARKDOWN=true

 Affected files ...

 ... //depot//src/hunspell/affixmgr.cxx#12 edit

 ==== //depot//src/hunspell/affixmgr.cxx#11 - /google/src/files/537915601/depot//src/hunspell/affixmgr.cxx ====
 --- /google/src/files/537395995/depot//src/hunspell/affixmgr.cxx	2023-06-02 16:30:25.000000000 -0400
 +++ /google/src/files/537915601/depot//src/hunspell/affixmgr.cxx	2023-06-05 13:29:15.000000000 -0400
 @@ -1,19 +1,19 @@
 -#include "license.hunspell"
 -#include "license.myspell"
 +#include "affixmgr.hxx"

 +#include <ctype.h>
 +#include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
 -#include <stdio.h>
 -#include <ctype.h>

 +#include <limits>
  #include <memory>
  #include <vector>

 -#include "affixmgr.hxx"
  #include "affentry.hxx"
 -#include "langnum.hxx"
 -
  #include "csutil.hxx"
 +#include "langnum.hxx"
 +#include "license.hunspell"
 +#include "license.myspell"

  AffixMgr::AffixMgr(const char * affpath, HashMgr** ptr, int * md, const char * key)
  {
 @@ -3766,8 +3766,11 @@
                         phone->num = atoi(piece);
                         phone->rules = NULL;
                         phone->utf8 = (char) utf8;
 -                       if (phone->num < 1) {
 +                       if (phone->num < 1 ||
 +                           phone->num > std::numeric_limits<int>::max() / (2 * sizeof(char *)) - 1) {
                            HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n", af->getlinenum());
 +                          free(phone);
 +                          phone = NULL;
                            return 1;
                         }
                         phone->rules = (char * *) malloc(2 * (phone->num + 1) * sizeof(char *));
	Change 537915601 by sungyc@sungyc:fig-export-icing-153-change-350:5488:citc on 2023/06/05 10:29:15

	[hunspell] Safe integer check for phone->num to prevent overflow

	## Test plan
	```
	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=5179437376995328' > /tmp/testcase-5179437376995328 && \
	blaze --blazerc=/dev/null test -c opt --config=asan-fuzzer --test_strategy=local --test_sharding_strategy=disabled \
	--test_env=ENABLE_BLAZE_TEST_FUZZING=1 --test_arg=-runs=100 --test_arg=/tmp/testcase-5179437376995328 \
	//third_party/hunspell/fuzzers:dict_fuzzer
	```

	## Description
	- We malloc memory with size = `2 * (phone->num + 1) * sizeof(char *)` for `phone->rules`.
	- If `phone->num` is too large, then it will cause integer overflow.

	Change `phone->num` check in L3769 to prevent overflow. Also free `phone` before returning error to prevent memory leak.

	PRESUBMIT=passed
	BUG=280278127
	R=mghiware
	APPROVED=mghiware
	REQUIRED_REVIEW=1
	DELTA=15 (7 added, 4 deleted, 4 changed)
	DELTA_BY_EXTENSION=cxx=11
	OCL=537406342
	FIG_CHANGESET=b89f41211e07c7f574813ec124d9743a7c505e10
	FIG_WORKSPACE=sungyc/153:icing
	MARKDOWN=true

	Affected files ...

	... //depot//src/hunspell/affixmgr.cxx#12 edit

	==== //depot//src/hunspell/affixmgr.cxx#11 - /google/src/files/537915601/depot//src/hunspell/affixmgr.cxx ====
	--- /google/src/files/537395995/depot//src/hunspell/affixmgr.cxx 2023-06-02 16:30:25.000000000 -0400
	+++ /google/src/files/537915601/depot//src/hunspell/affixmgr.cxx 2023-06-05 13:29:15.000000000 -0400
	@@ -1,19 +1,19 @@
	-#include "license.hunspell"
	-#include "license.myspell"
	+#include "affixmgr.hxx"

	+#include <ctype.h>
	+#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	-#include <stdio.h>
	-#include <ctype.h>

	+#include <limits>
	#include <memory>
	#include <vector>

	-#include "affixmgr.hxx"
	#include "affentry.hxx"
	-#include "langnum.hxx"
	-
	#include "csutil.hxx"
	+#include "langnum.hxx"
	+#include "license.hunspell"
	+#include "license.myspell"

	AffixMgr::AffixMgr(const char * affpath, HashMgr** ptr, int * md, const char * key)
	{
	@@ -3766,8 +3766,11 @@
	phone->num = atoi(piece);
	phone->rules = NULL;
	phone->utf8 = (char) utf8;
	- if (phone->num < 1) {
	+ if (phone->num < 1 \|\|
	+ phone->num > std::numeric_limits<int>::max() / (2 * sizeof(char *)) - 1) {
	HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n", af->getlinenum());
	+ free(phone);
	+ phone = NULL;
	return 1;
	}
	phone->rules = (char * ) malloc(2 (phone->num + 1) * sizeof(char *));