blob: 8254ecea0773e04307ae11d2bcc0534b2d0eba2c [file] [log] [blame] [edit]
Change 537915601 by sungyc@sungyc:fig-export-icing-153-change-350:5488:citc on 2023/06/05 10:29:15
[hunspell] Safe integer check for phone->num to prevent overflow
## Test plan
```
sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=5179437376995328' > /tmp/testcase-5179437376995328 && \
blaze --blazerc=/dev/null test -c opt --config=asan-fuzzer --test_strategy=local --test_sharding_strategy=disabled \
--test_env=ENABLE_BLAZE_TEST_FUZZING=1 --test_arg=-runs=100 --test_arg=/tmp/testcase-5179437376995328 \
//third_party/hunspell/fuzzers:dict_fuzzer
```
## Description
- We malloc memory with size = `2 * (phone->num + 1) * sizeof(char *)` for `phone->rules`.
- If `phone->num` is too large, then it will cause integer overflow.
Change `phone->num` check in L3769 to prevent overflow. Also free `phone` before returning error to prevent memory leak.
PRESUBMIT=passed
BUG=280278127
R=mghiware
APPROVED=mghiware
REQUIRED_REVIEW=1
DELTA=15 (7 added, 4 deleted, 4 changed)
DELTA_BY_EXTENSION=cxx=11
OCL=537406342
FIG_CHANGESET=b89f41211e07c7f574813ec124d9743a7c505e10
FIG_WORKSPACE=sungyc/153:icing
MARKDOWN=true
Affected files ...
... //depot//src/hunspell/affixmgr.cxx#12 edit
==== //depot//src/hunspell/affixmgr.cxx#11 - /google/src/files/537915601/depot//src/hunspell/affixmgr.cxx ====
--- /google/src/files/537395995/depot//src/hunspell/affixmgr.cxx 2023-06-02 16:30:25.000000000 -0400
+++ /google/src/files/537915601/depot//src/hunspell/affixmgr.cxx 2023-06-05 13:29:15.000000000 -0400
@@ -1,19 +1,19 @@
-#include "license.hunspell"
-#include "license.myspell"
+#include "affixmgr.hxx"
+#include <ctype.h>
+#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#include <stdio.h>
-#include <ctype.h>
+#include <limits>
#include <memory>
#include <vector>
-#include "affixmgr.hxx"
#include "affentry.hxx"
-#include "langnum.hxx"
-
#include "csutil.hxx"
+#include "langnum.hxx"
+#include "license.hunspell"
+#include "license.myspell"
AffixMgr::AffixMgr(const char * affpath, HashMgr** ptr, int * md, const char * key)
{
@@ -3766,8 +3766,11 @@
phone->num = atoi(piece);
phone->rules = NULL;
phone->utf8 = (char) utf8;
- if (phone->num < 1) {
+ if (phone->num < 1 ||
+ phone->num > std::numeric_limits<int>::max() / (2 * sizeof(char *)) - 1) {
HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n", af->getlinenum());
+ free(phone);
+ phone = NULL;
return 1;
}
phone->rules = (char * *) malloc(2 * (phone->num + 1) * sizeof(char *));