| Change 171343973 by lbaudoin@lbaudoin:hunspell-crash:6404:citc on 2017/10/06 14:25:31 |
| |
| Fix a buffer overflow in hunspell. |
| Also tested manually against the hunspell 1.3.4 test suite. |
| |
| PRESUBMIT=passed |
| BUG=67454984 |
| FIXED=67454984 |
| R=lianglin |
| CC=asergeev,gmail-security+reviews |
| APPROVED=lianglin |
| REQUIRED_REVIEW=1 |
| DELTA_BY_EXTENSION=cxx=3 |
| OCL=171341547 |
| |
| Affected files ... |
| |
| ... //depot//src/hunspell/affentry.cxx#3 edit |
| |
| ==== //depot//src/hunspell/affentry.cxx#2 - /google/src/files/171343973/depot//src/hunspell/affentry.cxx ==== |
| --- /google/src/files/49864191/depot//src/hunspell/affentry.cxx 2013-07-24 23:12:12.000000000 -0400 |
| +++ /google/src/files/171343973/depot//src/hunspell/affentry.cxx 2017-10-06 17:25:31.000000000 -0400 |
| @@ -586,7 +586,8 @@ |
| // it checked in test_condition() |
| |
| if ((tmpl > 0 || (tmpl == 0 && pmyMgr->get_fullstrip())) && |
| - (tmpl + stripl >= numconds)) { |
| + (tmpl + stripl >= numconds) && |
| + (len < sizeof(tmpword))) { |
| |
| // generate new root word by removing suffix and adding |
| // back any characters that would have been stripped or |
| @@ -594,7 +595,7 @@ |
| |
| strcpy (tmpword, word); |
| cp = (unsigned char *)(tmpword + tmpl); |
| - if (stripl) { |
| + if (stripl && len + stripl < sizeof(tmpword)) { |
| strcpy ((char *)cp, strip); |
| tmpl += stripl; |
| cp = (unsigned char *)(tmpword + tmpl); |
