patches/23.pointer_serialize.patch

Change 537916729 by sungyc@sungyc:fig-export-icing-153-change-352:5498:citc on 2023/06/05 10:32:42

	[hunspell] Fix pointer serialize error
	
	## Test plan
	```
	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=6280357192007680' > /tmp/testcase-6280357192007680 && \
	blaze --blazerc=/dev/null test -c opt --config=asan-fuzzer --test_strategy=local --test_sharding_strategy=disabled \
	  --test_env=ENABLE_BLAZE_TEST_FUZZING=1  --test_arg=-runs=100 --test_arg=/tmp/testcase-6280357192007680 \
	  //third_party/hunspell/fuzzers:dict_fuzzer
	```
	
	## Description
	- We `aliasm[atoi(desc) - 1]`'s content (a memory address) into `hpw + wbl + 1`.
	- If `atoi(desc)` is out of bound (< 0 or >= numaliasm), then `get_aliasm(atoi(desc))` returns `NULL`.
	- This bug is caused by incorrect `desc` content (note: `desc` is not NULL, but it contains only '\0') that causes `get_aliasm` returning NULL. We serialize NULL and later `strstr(HENTRY_DATA(hp), MORPH_PHON)` uses NULL, which causes memory error.
	
	This CL:
	- Adds NULL check before serializing.
	- Also changes the memory allocate size calculation.
	
	PRESUBMIT=passed
	BUG=280420276
	R=mghiware
	APPROVED=mghiware
	REQUIRED_REVIEW=1
	DELTA=9 (5 added, 0 deleted, 4 changed)
	DELTA_BY_EXTENSION=cxx=8,hxx=1
	OCL=537433767
	FIG_CHANGESET=87b3c783ed831422e442613718935eda7870b28a
	FIG_WORKSPACE=sungyc/153:icing
	MARKDOWN=true

Affected files ...

... //depot//src/hunspell/csutil.cxx#3 edit
... //depot//src/hunspell/csutil.hxx#3 edit
... //depot//src/hunspell/hashmgr.cxx#8 edit

==== //depot//src/hunspell/csutil.cxx#2 - /google/src/files/537916729/depot//src/hunspell/csutil.cxx ====
--- /google/src/files/49864191/depot//src/hunspell/csutil.cxx	2013-07-24 23:12:12.000000000 -0400
+++ /google/src/files/537916729/depot//src/hunspell/csutil.cxx	2023-06-05 13:32:42.000000000 -0400
@@ -665,7 +665,7 @@
  }
 
  // conversion function for protected memory
- void store_pointer(char * dest, char * source)
+ void store_pointer(char * dest, const char * source)
  {
     memcpy(dest, &source, sizeof(char *));
  }
==== //depot//src/hunspell/csutil.hxx#2 - /google/src/files/537916729/depot//src/hunspell/csutil.hxx ====
--- /google/src/files/49864191/depot//src/hunspell/csutil.hxx	2013-07-24 23:12:12.000000000 -0400
+++ /google/src/files/537916729/depot//src/hunspell/csutil.hxx	2023-06-05 13:32:42.000000000 -0400
@@ -186,7 +186,7 @@
 LIBHUNSPELL_DLL_EXPORTED int get_sfxcount(const char * morph);
 
 // conversion function for protected memory
-LIBHUNSPELL_DLL_EXPORTED void store_pointer(char * dest, char * source);
+LIBHUNSPELL_DLL_EXPORTED void store_pointer(char * dest, const char * source);
 
 // conversion function for protected memory
 LIBHUNSPELL_DLL_EXPORTED char * get_stored_pointer(const char * s);
==== //depot//src/hunspell/hashmgr.cxx#7 - /google/src/files/537916729/depot//src/hunspell/hashmgr.cxx ====
--- /google/src/files/537406616/depot//src/hunspell/hashmgr.cxx	2023-06-02 17:14:02.000000000 -0400
+++ /google/src/files/537916729/depot//src/hunspell/hashmgr.cxx	2023-06-05 13:32:42.000000000 -0400
@@ -126,7 +126,7 @@
     int al, const char * desc, bool onlyupcase)
 {
     bool upcasehomonym = false;
-    int descl = desc ? (aliasm ? sizeof(short) : strlen(desc) + 1) : 0;
+    int descl = desc ? (aliasm ? sizeof(char *) : strlen(desc) + 1) : 0;
     // variable-length hash record with word and optional fields
     struct hentry* hp = 
 	(struct hentry *) malloc (sizeof(struct hentry) + wbl + descl);
@@ -158,7 +158,12 @@
         hp->var = H_OPT;
         if (aliasm) {
             hp->var += H_OPT_ALIASM;
-            store_pointer(hpw + wbl + 1, get_aliasm(atoi(desc)));
+            const char* aliasm_desc = get_aliasm(atoi(desc));
+            if (!aliasm_desc) {
+                free(hp);
+                return 1;
+            }
+            store_pointer(hpw + wbl + 1, aliasm_desc);
         } else {
 	    strcpy(hpw + wbl + 1, desc);
             if (complexprefixes) {