patches/37.double_free.patch - hunspell - Git at Google

 Change 614065610 by sungyc@sungyc:fig-export-icing-153-change-474:7360:citc on 2024/03/08 15:43:37

 	[hunspell][vulnerability fix] Set buffer to NULL to avoid double free

 	## Test plan
 	```
 	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=5492326057705472' > /tmp/testcase-5492326057705472 && \
 	blaze --blazerc=/dev/null test -c opt --config=fuzztest --copt=-DNDEBUG \
 	  --test_strategy=local \
 	  --test_sharding_strategy=disabled \
 	  --test_env=FUZZTEST_REPLAY=/tmp/testcase-5492326057705472 \
 	  --test_filter=LLVMFuzzer.TestOneInput \
 	  //third_party/hunspell/fuzzers:suggestions_fuzzer
 	```

 	## Description
 	It is possible that `wlst[i]` is allocated from another place (`*slst`). When freeing `wlst[i]`, we have to set the value to NULL, otherwise the original `*slst` will be freed again.

 	PRESUBMIT=passed
 	BUG=325540032
 	R=mghiware
 	APPROVED=mghiware
 	REQUIRED_REVIEW=1
 	DELTA=4 (3 added, 0 deleted, 1 changed)
 	DELTA_BY_EXTENSION=cxx=4
 	OCL=613985492
 	FIG_CHANGESET=e5882c8089a4dacab8b1ef3e281163b25362f1b9
 	FIG_WORKSPACE=sungyc/153:icing
 	MARKDOWN=true

 Affected files ...

 ... //depot//src/hunspell/suggestmgr.cxx#7 edit

 ==== //depot//src/hunspell/suggestmgr.cxx#6 - /google/src/files/614065610/depot//src/hunspell/suggestmgr.cxx ====
 --- /google/src/files/583481110/depot//src/hunspell/suggestmgr.cxx	2023-11-17 17:01:57.000000000 -0500
 +++ /google/src/files/614065610/depot//src/hunspell/suggestmgr.cxx	2024-03-08 18:43:37.000000000 -0500
 @@ -159,7 +159,10 @@
          // Added to handle wrong encoded UTF-8 strings - jiho@google.com
          if (wl <= 0) {
            for (int i = 0; i < maxSug; i++) {
 -            if (wlst[i]) free(wlst[i]);
 +            if (wlst[i]) {
 +              free(wlst[i]);
 +              wlst[i] = NULL;
 +            }
            }
            if (!*slst) {
              free(wlst);
	Change 614065610 by sungyc@sungyc:fig-export-icing-153-change-474:7360:citc on 2024/03/08 15:43:37

	[hunspell][vulnerability fix] Set buffer to NULL to avoid double free

	## Test plan
	```
	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=5492326057705472' > /tmp/testcase-5492326057705472 && \
	blaze --blazerc=/dev/null test -c opt --config=fuzztest --copt=-DNDEBUG \
	--test_strategy=local \
	--test_sharding_strategy=disabled \
	--test_env=FUZZTEST_REPLAY=/tmp/testcase-5492326057705472 \
	--test_filter=LLVMFuzzer.TestOneInput \
	//third_party/hunspell/fuzzers:suggestions_fuzzer
	```

	## Description
	It is possible that `wlst[i]` is allocated from another place (`slst`). When freeing `wlst[i]`, we have to set the value to NULL, otherwise the original `slst` will be freed again.

	PRESUBMIT=passed
	BUG=325540032
	R=mghiware
	APPROVED=mghiware
	REQUIRED_REVIEW=1
	DELTA=4 (3 added, 0 deleted, 1 changed)
	DELTA_BY_EXTENSION=cxx=4
	OCL=613985492
	FIG_CHANGESET=e5882c8089a4dacab8b1ef3e281163b25362f1b9
	FIG_WORKSPACE=sungyc/153:icing
	MARKDOWN=true

	Affected files ...

	... //depot//src/hunspell/suggestmgr.cxx#7 edit

	==== //depot//src/hunspell/suggestmgr.cxx#6 - /google/src/files/614065610/depot//src/hunspell/suggestmgr.cxx ====
	--- /google/src/files/583481110/depot//src/hunspell/suggestmgr.cxx 2023-11-17 17:01:57.000000000 -0500
	+++ /google/src/files/614065610/depot//src/hunspell/suggestmgr.cxx 2024-03-08 18:43:37.000000000 -0500
	@@ -159,7 +159,10 @@
	// Added to handle wrong encoded UTF-8 strings - jiho@google.com
	if (wl <= 0) {
	for (int i = 0; i < maxSug; i++) {
	- if (wlst[i]) free(wlst[i]);
	+ if (wlst[i]) {
	+ free(wlst[i]);
	+ wlst[i] = NULL;
	+ }
	}
	if (!*slst) {
	free(wlst);