patches/36.calloc.patch - hunspell - Git at Google

 Change 613323525 by sungyc@sungyc:fig-export-icing-153-change-473:7348:citc on 2024/03/06 13:30:53

 	[hunspell][vulnerability fix] Use calloc to initialize all allocated bytes to 0

 	## Test plan
 	```
 	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=5038681210028032' > /tmp/testcase-5038681210028032 && \
 	blaze --blazerc=/dev/null test -c opt --config=fuzztest --copt=-DNDEBUG \
 	  --test_strategy=local \
 	  --test_sharding_strategy=disabled \
 	  --test_env=FUZZTEST_REPLAY=/tmp/testcase-5038681210028032 \
 	  --test_filter=LLVMFuzzer.TestOneInput \
 	  //third_party/hunspell/fuzzers:dict_fuzzer
 	```

 	## Description
 	- The element in `defcpdtable` contains a pointer to another `malloc` buffer.
 	- `defcpdtable` is not initialized (or partially initialized) after `malloc`. The pointer may still contain an invalid non-null value, so `free_defcpdtable` calls `free` with an invalid address and causes error.

 	By switching to `calloc`, all bytes are initialized to 0, so the pointer is initialized as `NULL`. Then later `free_defcpdtable` will skip NULL pointer freeing correctly.

 	PRESUBMIT=passed
 	BUG=325538748
 	R=mghiware
 	APPROVED=mghiware
 	REQUIRED_REVIEW=1
 	DELTA=1 (0 added, 0 deleted, 1 changed)
 	DELTA_BY_EXTENSION=cxx=1
 	OCL=612537516
 	DIFFBASE=612513824
 	FIG_CHANGESET=0f4c956db8114c22bca3683d2087fd101d3ddc8f
 	FIG_WORKSPACE=sungyc/153:icing
 	MARKDOWN=true

 Affected files ...

 ... //depot//src/hunspell/affixmgr.cxx#17 edit

 ==== //depot//src/hunspell/affixmgr.cxx#16 - /google/src/files/613323525/depot//src/hunspell/affixmgr.cxx ====
 --- /google/src/files/613323179/depot//src/hunspell/affixmgr.cxx	2024-03-06 16:29:53.000000000 -0500
 +++ /google/src/files/613323525/depot//src/hunspell/affixmgr.cxx	2024-03-06 16:30:53.000000000 -0500
 @@ -3965,7 +3965,7 @@
                            HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n", af->getlinenum());
                            return 1;
                         }
 -                       defcpdtable = (flagentry *) malloc(numdefcpd * sizeof(flagentry));
 +                       defcpdtable = (flagentry *) calloc(numdefcpd, sizeof(flagentry));
                         if (!defcpdtable) {
                           free_defcpdtable();
                           return 1;
	Change 613323525 by sungyc@sungyc:fig-export-icing-153-change-473:7348:citc on 2024/03/06 13:30:53

	[hunspell][vulnerability fix] Use calloc to initialize all allocated bytes to 0

	## Test plan
	```
	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=5038681210028032' > /tmp/testcase-5038681210028032 && \
	blaze --blazerc=/dev/null test -c opt --config=fuzztest --copt=-DNDEBUG \
	--test_strategy=local \
	--test_sharding_strategy=disabled \
	--test_env=FUZZTEST_REPLAY=/tmp/testcase-5038681210028032 \
	--test_filter=LLVMFuzzer.TestOneInput \
	//third_party/hunspell/fuzzers:dict_fuzzer
	```

	## Description
	- The element in `defcpdtable` contains a pointer to another `malloc` buffer.
	- `defcpdtable` is not initialized (or partially initialized) after `malloc`. The pointer may still contain an invalid non-null value, so `free_defcpdtable` calls `free` with an invalid address and causes error.

	By switching to `calloc`, all bytes are initialized to 0, so the pointer is initialized as `NULL`. Then later `free_defcpdtable` will skip NULL pointer freeing correctly.

	PRESUBMIT=passed
	BUG=325538748
	R=mghiware
	APPROVED=mghiware
	REQUIRED_REVIEW=1
	DELTA=1 (0 added, 0 deleted, 1 changed)
	DELTA_BY_EXTENSION=cxx=1
	OCL=612537516
	DIFFBASE=612513824
	FIG_CHANGESET=0f4c956db8114c22bca3683d2087fd101d3ddc8f
	FIG_WORKSPACE=sungyc/153:icing
	MARKDOWN=true

	Affected files ...

	... //depot//src/hunspell/affixmgr.cxx#17 edit

	==== //depot//src/hunspell/affixmgr.cxx#16 - /google/src/files/613323525/depot//src/hunspell/affixmgr.cxx ====
	--- /google/src/files/613323179/depot//src/hunspell/affixmgr.cxx 2024-03-06 16:29:53.000000000 -0500
	+++ /google/src/files/613323525/depot//src/hunspell/affixmgr.cxx 2024-03-06 16:30:53.000000000 -0500
	@@ -3965,7 +3965,7 @@
	HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n", af->getlinenum());
	return 1;
	}
	- defcpdtable = (flagentry ) malloc(numdefcpd sizeof(flagentry));
	+ defcpdtable = (flagentry *) calloc(numdefcpd, sizeof(flagentry));
	if (!defcpdtable) {
	free_defcpdtable();
	return 1;