blob: 81c1a06f759a7e151d5aaa346de350fa73a31e92 [file] [log] [blame] [edit]
Change 205133714 by lbaudoin@lbaudoin:fuzzer-38f43:7919:citc on 2018/07/18 14:06:49
Fix yet another buffer overflow in hunspell.
PRESUBMIT=passed
BUG=67454984
FIXED=67454984
R=sfen,shine
CC=gmail-security+reviews,jduart,weihaw
APPROVED=sfen,shine
REQUIRED_REVIEW=1
DELTA_BY_EXTENSION=cxx=11
OCL=204925722
Affected files ...
... //depot//src/hunspell/hunspell.cxx#7 edit
... //depot//testdata/poc-38f43e7d002ec9c5711cea63753787e9c56533866247c1cf42d7e59eca991f8c#1 add
==== //depot//src/hunspell/hunspell.cxx#6 - /google/src/files/205133714/depot//src/hunspell/hunspell.cxx ====
--- /google/src/files/160419349/depot//src/hunspell/hunspell.cxx 2017-06-28 12:50:38.000000000 -0400
+++ /google/src/files/205133714/depot//src/hunspell/hunspell.cxx 2018-07-18 17:06:49.000000000 -0400
@@ -913,13 +913,17 @@
if (!spell(ppos)) {
nn = suggest(&nlst, ppos);
for (int j = nn - 1; j >= 0; j--) {
- strncpy(wspace, cw, ppos - cw);
- strcpy(wspace + (ppos - cw), nlst[j]);
- if (!last) {
- strcat(wspace, "-");
- strcat(wspace, pos + 1);
- }
- ns = insert_sug(slst, wspace, ns);
+ int suggestion_size =
+ ppos - cw + strlen(nlst[j]) + (last ? 0 : strlen(pos + 1) + 1);
+ if (suggestion_size < sizeof(wspace)) {
+ strncpy(wspace, cw, ppos - cw);
+ strcpy(wspace + (ppos - cw), nlst[j]);
+ if (!last) {
+ strcat(wspace, "-");
+ strcat(wspace, pos + 1);
+ }
+ ns = insert_sug(slst, wspace, ns);
+ }
free(nlst[j]);
}
if (nlst != NULL) free(nlst);