patches/40.oob_read.patch - hunspell - Git at Google

 Change 623201281 by sungyc@sungyc:fig-export-icing-153-change-480:7422:citc on 2024/04/09 10:03:04

 	[hunspell][vulnerability fix] Fix out-of-bound memory access

 	## Test plan
 	```
 	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=4514935680335872' > /tmp/testcase-4514935680335872 && \
 	blaze --blazerc=/dev/null test --config=fuzztest-msan \
 	  --test_strategy=local \
 	  --test_sharding_strategy=disabled \
 	  --test_env=FUZZTEST_REPLAY=/tmp/testcase-4514935680335872 \
 	  --test_filter=LLVMFuzzer.TestOneInput \
 	  //third_party/hunspell/fuzzers:dict_fuzzer
 	```

 	## Description
 	b/326456405 reports an "use-of-uninitialized-value" bug. After investigation, it is caused by `reverse_condition()`.
 	- When doing `*(k+1) = *k`, if it is the first round, then `*(k+1)` is actually `'\0'` character in the end of the string, and it is overwritten by `*k`.
 	- Since `'\0'` is falsely overwritten, the next part of code using this char array will iterate over the original `'\0'` and potentially use some uninitialized value(s) in the rest part of the char array.

 	To fix this, we can just simply add a condition to make sure the `*(k+1)` setter won't be executed in the first round. This fix is also available in the latest version of open source Hunspell ([link](https://github.com/hunspell/hunspell/blob/master/src/hunspell/affixmgr.cxx#L4388)).

 	PRESUBMIT=passed
 	BUG=326456405
 	R=mghiware
 	APPROVED=mghiware
 	REQUIRED_REVIEW=1
 	DELTA=3 (1 added, 0 deleted, 2 changed)
 	DELTA_BY_EXTENSION=cxx=3
 	OCL=621820692
 	FIG_CHANGESET=736c3d9eb7b5d829c4e05a7055da6987f4f2065e
 	FIG_WORKSPACE=sungyc/153:icing
 	MARKDOWN=true

 Affected files ...

 ... //depot//src/hunspell/affixmgr.cxx#20 edit

 ==== //depot//src/hunspell/affixmgr.cxx#19 - /google/src/files/623201281/depot//src/hunspell/affixmgr.cxx ====
 --- /google/src/files/621067117/depot//src/hunspell/affixmgr.cxx	2024-04-02 02:29:44.000000000 -0400
 +++ /google/src/files/623201281/depot//src/hunspell/affixmgr.cxx	2024-04-09 13:03:04.000000000 -0400
 @@ -4253,7 +4253,8 @@
                  break;
              }
            case '^': {
 -               if (*(k+1) == ']') neg = 1; else *(k+1) = *k;
 +               if (*(k+1) == ']') neg = 1;
 +               else if (neg) *(k+1) = *k;
                 break;
                  }
            default: {
	Change 623201281 by sungyc@sungyc:fig-export-icing-153-change-480:7422:citc on 2024/04/09 10:03:04

	[hunspell][vulnerability fix] Fix out-of-bound memory access

	## Test plan
	```
	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=4514935680335872' > /tmp/testcase-4514935680335872 && \
	blaze --blazerc=/dev/null test --config=fuzztest-msan \
	--test_strategy=local \
	--test_sharding_strategy=disabled \
	--test_env=FUZZTEST_REPLAY=/tmp/testcase-4514935680335872 \
	--test_filter=LLVMFuzzer.TestOneInput \
	//third_party/hunspell/fuzzers:dict_fuzzer
	```

	## Description
	b/326456405 reports an "use-of-uninitialized-value" bug. After investigation, it is caused by `reverse_condition()`.
	- When doing `(k+1) = k`, if it is the first round, then `(k+1)` is actually `'\0'` character in the end of the string, and it is overwritten by `k`.
	- Since `'\0'` is falsely overwritten, the next part of code using this char array will iterate over the original `'\0'` and potentially use some uninitialized value(s) in the rest part of the char array.

	To fix this, we can just simply add a condition to make sure the `*(k+1)` setter won't be executed in the first round. This fix is also available in the latest version of open source Hunspell ([link](https://github.com/hunspell/hunspell/blob/master/src/hunspell/affixmgr.cxx#L4388)).

	PRESUBMIT=passed
	BUG=326456405
	R=mghiware
	APPROVED=mghiware
	REQUIRED_REVIEW=1
	DELTA=3 (1 added, 0 deleted, 2 changed)
	DELTA_BY_EXTENSION=cxx=3
	OCL=621820692
	FIG_CHANGESET=736c3d9eb7b5d829c4e05a7055da6987f4f2065e
	FIG_WORKSPACE=sungyc/153:icing
	MARKDOWN=true

	Affected files ...

	... //depot//src/hunspell/affixmgr.cxx#20 edit

	==== //depot//src/hunspell/affixmgr.cxx#19 - /google/src/files/623201281/depot//src/hunspell/affixmgr.cxx ====
	--- /google/src/files/621067117/depot//src/hunspell/affixmgr.cxx 2024-04-02 02:29:44.000000000 -0400
	+++ /google/src/files/623201281/depot//src/hunspell/affixmgr.cxx 2024-04-09 13:03:04.000000000 -0400
	@@ -4253,7 +4253,8 @@
	break;
	}
	case '^': {
	- if ((k+1) == ']') neg = 1; else (k+1) = *k;
	+ if (*(k+1) == ']') neg = 1;
	+ else if (neg) (k+1) = k;
	break;
	}
	default: {