blob: f1f0946ae714d0c648bfa4e9df5e3dbfa5c1d887 [file] [log] [blame]
Change 640274267 by sungyc@sungyc:fig-export-hunspell-7504-change-3:7518:citc on 2024/06/04 13:58:38
[hunspell][vulnerability fix] Fix incorrect string length for lcs algorithm
## Test plan
```
sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=6268223149899776' > /tmp/testcase-6268223149899776 && \
blaze --blazerc=/dev/null test --config=fuzztest-msan \
--test_strategy=local \
--test_sharding_strategy=disabled \
--test_env=FUZZTEST_REPLAY=/tmp/testcase-6268223149899776 \
--test_filter=LLVMFuzzer.TestOneInput \
//third_party/hunspell/fuzzers:suggestions_fuzzer
```
## Description
This bug is triggered when an error occurs in `u8_u16` and returns -1 for the length.
- We malloc `(m + 1) * (n + 1)` bytes in the following line. Since one of `m` or `n` is -1 now, we're calling `malloc(0)` here.
- According to the documentation, `malloc(0)` can return `NULL` or a valid non-null pointer (freeable). In our system, `malloc(0)` returns the latter.
- Later when returning to the caller, we do:
```
i = m;
j = n;
while ((i != 0) && (j != 0)) {
if (result[i*(n+1) + j] == LCS_UPLEFT)
// ...
}
```
and potentially causes not only invalid iterations (since i, j are decremented only and will underflow when starting with -1), but also invalid access for `result[...]`.
Therefore, we should do early return in `lcs` algorithm when getting length <= 0.
PRESUBMIT=passed
BUG=336187503
R=tjbarron
APPROVED=tjbarron
REQUIRED_REVIEW=1
DELTA=4 (4 added, 0 deleted, 0 changed)
DELTA_BY_EXTENSION=cxx=4
OCL=639874531
FIG_CHANGESET=4acb332f66fbf4c2c694f9af5bd370a928e27010
FIG_WORKSPACE=sungyc/7504:hunspell
MARKDOWN=true
Affected files ...
... //depot//src/hunspell/suggestmgr.cxx#9 edit
==== //depot//src/hunspell/suggestmgr.cxx#8 - /google/src/files/640274267/depot//src/hunspell/suggestmgr.cxx ====
--- /google/src/files/615029530/depot//src/hunspell/suggestmgr.cxx 2024-03-12 10:13:27.000000000 -0400
+++ /google/src/files/640274267/depot//src/hunspell/suggestmgr.cxx 2024-06-04 16:58:38.000000000 -0400
@@ -1969,6 +1969,10 @@
m = strlen(s);
n = strlen(s2);
}
+ if (m <= 0 || n <= 0) {
+ *result = NULL;
+ return;
+ }
c = (char *) malloc((m + 1) * (n + 1));
b = (char *) malloc((m + 1) * (n + 1));
if (!c || !b) {