patches/41.heap_overflow.patch - hunspell - Git at Google

 Change 623201869 by sungyc@sungyc:fig-export-icing-153-change-481:7428:citc on 2024/04/09 10:04:20

 	[hunspell][vulnerability fix] Fix heap buffer overflow error

 	## Test plan
 	```
 	blaze --blazerc=/dev/null test -c opt --config=fuzztest --copt=-DNDEBUG \
 	  --test_strategy=local \
 	  --test_sharding_strategy=disabled \
 	  --test_env=FUZZTEST_REPLAY=/tmp/testcase-4897268770078720 \
 	  --test_filter=LLVMFuzzer.TestOneInput \
 	  //third_party/hunspell/fuzzers:dict_fuzzer
 	```

 	## Description
 	Add check for `s2` to make sure `s2` doesn't go out of bound.

 	PRESUBMIT=passed
 	BUG=326385709
 	R=mghiware
 	APPROVED=mghiware
 	REQUIRED_REVIEW=1
 	DELTA=1 (0 added, 0 deleted, 1 changed)
 	DELTA_BY_EXTENSION=cxx=1
 	OCL=621828139
 	DIFFBASE=621820692
 	FIG_CHANGESET=5c6280f36dbdf8e1365a5a5b3111be309251be25
 	FIG_WORKSPACE=sungyc/153:icing
 	MARKDOWN=true

 Affected files ...

 ... //depot//src/hunspell/affixmgr.cxx#21 edit

 ==== //depot//src/hunspell/affixmgr.cxx#20 - /google/src/files/623201869/depot//src/hunspell/affixmgr.cxx ====
 --- /google/src/files/623201281/depot//src/hunspell/affixmgr.cxx	2024-04-09 13:03:04.000000000 -0400
 +++ /google/src/files/623201869/depot//src/hunspell/affixmgr.cxx	2024-04-09 13:04:20.000000000 -0400
 @@ -1088,7 +1088,7 @@
  // return 1 if s1 is a leading subset of s2 (dots are for infixes)
  inline int AffixMgr::isSubset(const char * s1, const char * s2)
   {
 -    while (((*s1 == *s2) || (*s1 == '.')) && (*s1 != '\0')) {
 +    while (((*s1 == *s2) || (*s1 == '.')) && (*s1 != '\0') && (*s2 != '\0')) {
          s1++;
          s2++;
      }
	Change 623201869 by sungyc@sungyc:fig-export-icing-153-change-481:7428:citc on 2024/04/09 10:04:20

	[hunspell][vulnerability fix] Fix heap buffer overflow error

	## Test plan
	```
	blaze --blazerc=/dev/null test -c opt --config=fuzztest --copt=-DNDEBUG \
	--test_strategy=local \
	--test_sharding_strategy=disabled \
	--test_env=FUZZTEST_REPLAY=/tmp/testcase-4897268770078720 \
	--test_filter=LLVMFuzzer.TestOneInput \
	//third_party/hunspell/fuzzers:dict_fuzzer
	```

	## Description
	Add check for `s2` to make sure `s2` doesn't go out of bound.

	PRESUBMIT=passed
	BUG=326385709
	R=mghiware
	APPROVED=mghiware
	REQUIRED_REVIEW=1
	DELTA=1 (0 added, 0 deleted, 1 changed)
	DELTA_BY_EXTENSION=cxx=1
	OCL=621828139
	DIFFBASE=621820692
	FIG_CHANGESET=5c6280f36dbdf8e1365a5a5b3111be309251be25
	FIG_WORKSPACE=sungyc/153:icing
	MARKDOWN=true

	Affected files ...

	... //depot//src/hunspell/affixmgr.cxx#21 edit

	==== //depot//src/hunspell/affixmgr.cxx#20 - /google/src/files/623201869/depot//src/hunspell/affixmgr.cxx ====
	--- /google/src/files/623201281/depot//src/hunspell/affixmgr.cxx 2024-04-09 13:03:04.000000000 -0400
	+++ /google/src/files/623201869/depot//src/hunspell/affixmgr.cxx 2024-04-09 13:04:20.000000000 -0400
	@@ -1088,7 +1088,7 @@
	// return 1 if s1 is a leading subset of s2 (dots are for infixes)
	inline int AffixMgr::isSubset(const char * s1, const char * s2)
	{
	- while (((s1 == s2) \|\| (s1 == '.')) && (s1 != '\0')) {
	+ while (((s1 == s2) \|\| (s1 == '.')) && (s1 != '\0') && (*s2 != '\0')) {
	s1++;
	s2++;
	}