blob: 6d400c3a6e187a04a96d5169d5e45f9cda5b9e8d [file] [log] [blame] [edit]
Change 537395995 by sungyc@sungyc:fig-export-icing-153-change-348:5470:citc on 2023/06/02 13:30:25
[hunspell] Check index before accessing when advancing
## Test plan
```
sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=5157202356469760' > /tmp/testcase-5157202356469760 && blaze --blazerc=/dev/null test -c opt --config=asan-fuzzer --test_strategy=local --test_sharding_strategy=disabled --test_env=ENABLE_BLAZE_TEST_FUZZING=1 --test_env=ASAN_OPTIONS="fast_unwind_on_fatal=0" --test_arg=-runs=100 --test_arg=/tmp/testcase-5157202356469760 //third_party/hunspell/fuzzers:suggestions_fuzzer
```
## Description
When advancing `i` for utf-8, we have to make sure `i < cmax` before accessing `st[i]` since it is possible that `(st[i] & 0xc0) == 0x80` still holds after `i` is out of bound. See below printed debug message:
```
cmin: 3, cmax: 6
i = 4
i = 5
i = 6
i = 7
i = 8
i = 9
i = 10
i = 11
...
```
PRESUBMIT=passed
BUG=280418190
R=mghiware
CC=adorokhine
APPROVED=mghiware
REQUIRED_REVIEW=1
DELTA=1 (0 added, 0 deleted, 1 changed)
DELTA_BY_EXTENSION=cxx=1
OCL=537368756
FIG_CHANGESET=640c9939f4f2ae8a3b8c92921c2eff1488d668df
FIG_WORKSPACE=sungyc/153:icing
MARKDOWN=true
Affected files ...
... //depot//src/hunspell/affixmgr.cxx#11 edit
==== //depot//src/hunspell/affixmgr.cxx#10 - /google/src/files/537395995/depot//src/hunspell/affixmgr.cxx ====
--- /google/src/files/522447888/depot//src/hunspell/affixmgr.cxx 2023-04-06 18:08:14.000000000 -0400
+++ /google/src/files/537395995/depot//src/hunspell/affixmgr.cxx 2023-06-02 16:30:25.000000000 -0400
@@ -1572,7 +1572,7 @@
for (i = cmin; i < cmax; i++) {
// go to end of the UTF-8 character
if (utf8) {
- for (; (st[i] & 0xc0) == 0x80; i++);
+ for (; i < cmax && ((st[i] & 0xc0) == 0x80); i++);
if (i >= cmax) {
free(rwords);
return NULL;