patches/25.aliasm_leak.patch - hunspell - Git at Google

 Change 541956676 by sungyc@sungyc:fig-export-icing-153-change-357:5526:citc on 2023/06/20 09:47:53

 	[hunspell] Fix aliasm memory leak error

 	## Test plan
 	```
 	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=6277726054776832' > /tmp/testcase-6277726054776832 && \
 	blaze --blazerc=/dev/null test -c opt --config=asan-fuzzer --test_strategy=local --test_sharding_strategy=disabled \
 	  --test_env=ENABLE_BLAZE_TEST_FUZZING=1  --test_arg=-runs=100 --test_arg=/tmp/testcase-6277726054776832 \
 	  //third_party/hunspell/fuzzers:dict_fuzzer
 	```

 	## Description
 	The memory leak is caused by:
 	- Some previous round allocated `aliasm[j]` successfully.
 	- If later fails, then we free the entire `aliasm` and early return. But the original free memory code didn't correctly handle 2nd level of memory (`aliasm[j]`) allocated previously.

 	This CL creates a new private method `free_aliasm` to handle all these cases.

 	PRESUBMIT=passed
 	BUG=280280659
 	R=mghiware
 	CC=tjbarron
 	APPROVED=mghiware
 	REQUIRED_REVIEW=1
 	DELTA=42 (19 added, 17 deleted, 6 changed)
 	DELTA_BY_EXTENSION=cxx=24,hxx=1
 	OCL=538271164
 	DIFFBASE=538018307
 	FIG_CHANGESET=9414dae38fc69132c785e6029fb78b64f1c57847
 	FIG_WORKSPACE=sungyc/153:icing
 	MARKDOWN=true

 Affected files ...

 ... //depot//src/hunspell/hashmgr.cxx#10 edit
 ... //depot//src/hunspell/hashmgr.hxx#3 edit

 ==== //depot//src/hunspell/hashmgr.cxx#9 - /google/src/files/541956676/depot//src/hunspell/hashmgr.cxx ====
 --- /google/src/files/541956399/depot//src/hunspell/hashmgr.cxx	2023-06-20 12:47:05.000000000 -0400
 +++ /google/src/files/541956676/depot//src/hunspell/hashmgr.cxx	2023-06-20 12:47:53.000000000 -0400
 @@ -68,15 +68,7 @@
    tablesize = 0;

    free_aliasf();
 -  if (aliasm) {
 -    for (int j = 0; j < (numaliasm); j++) {
 -      if (aliasm[j]) {
 -        free(aliasm[j]);
 -      }
 -    }
 -    free(aliasm);
 -    aliasm = NULL;
 -  }
 +  free_aliasm();

  #ifndef OPENOFFICEORG
  #ifndef MOZILLA_CLIENT
 @@ -849,12 +841,13 @@
               case 1: {
                         numaliasm = atoi(piece);
                         if (numaliasm < 1) {
 +                          free_aliasm();
                            HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n", af->getlinenum());
                            return 1;
                         }
                         aliasm = (char **) malloc(numaliasm * sizeof(char *));
                         if (!aliasm) {
 -                          numaliasm = 0;
 +                          free_aliasm();
                            return 1;
                         }
                         // Initialize all aliasm to NULL.
 @@ -869,9 +862,7 @@
         piece = mystrsep(&tp, 0);
     }
     if (np != 2) {
 -      numaliasm = 0;
 -      if (aliasm) free(aliasm);
 -      aliasm = NULL;
 +      free_aliasm();
        HUNSPELL_WARNING(stderr, "error: line %d: missing data\n", af->getlinenum());
        return 1;
     }
 @@ -879,7 +870,10 @@
     /* now parse the numaliasm lines to read in the remainder of the table */
     char * nl = line;
     for (int j=0; j < numaliasm; j++) {
 -        if (!(nl = af->getline())) return 1;
 +        if (!(nl = af->getline())) {
 +          free_aliasm();
 +          return 1;
 +        }
          mychomp(nl);
          tp = nl;
          i = 0;
 @@ -890,10 +884,8 @@
                 switch(i) {
                    case 0: {
                               if (strncmp(piece,"AM",2) != 0) {
 +                                 free_aliasm();
                                   HUNSPELL_WARNING(stderr, "error: line %d: table is corrupt\n", af->getlinenum());
 -                                 numaliasm = 0;
 -                                 free(aliasm);
 -                                 aliasm = NULL;
                                   return 1;
                               }
                               break;
 @@ -910,9 +902,7 @@
                              }
                              aliasm[j] = mystrdup(piece);
                              if (!aliasm[j]) {
 -                                 numaliasm = 0;
 -                                 free(aliasm);
 -                                 aliasm = NULL;
 +                                 free_aliasm();
                                   return 1;
                              }
                              break; }
 @@ -923,9 +913,7 @@
             piece = mystrsep(&tp, ' ');
          }
          if (!aliasm[j]) {
 -             numaliasm = 0;
 -             free(aliasm);
 -             aliasm = NULL;
 +             free_aliasm();
               HUNSPELL_WARNING(stderr, "error: line %d: table is corrupt\n", af->getlinenum());
               return 1;
          }
 @@ -959,3 +947,16 @@
      }
      numaliasf = 0;
  }
 +
 +void HashMgr::free_aliasm() {
 +    if (aliasm) {
 +        for (int i = 0; i < (numaliasm); i++) {
 +             if (aliasm[i]) {
 +               free(aliasm[i]);
 +             }
 +        }
 +        free(aliasm);
 +        aliasm = NULL;
 +    }
 +    numaliasm = 0;
 +}
 ==== //depot//src/hunspell/hashmgr.hxx#2 - /google/src/files/541956676/depot//src/hunspell/hashmgr.hxx ====
 --- /google/src/files/541956399/depot//src/hunspell/hashmgr.hxx	2023-06-20 12:47:05.000000000 -0400
 +++ /google/src/files/541956676/depot//src/hunspell/hashmgr.hxx	2023-06-20 12:47:53.000000000 -0400
 @@ -65,6 +65,7 @@
    int remove_forbidden_flag(const char * word);

    void free_aliasf();
 +  void free_aliasm();
  };

  #endif
	Change 541956676 by sungyc@sungyc:fig-export-icing-153-change-357:5526:citc on 2023/06/20 09:47:53

	[hunspell] Fix aliasm memory leak error

	## Test plan
	```
	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=6277726054776832' > /tmp/testcase-6277726054776832 && \
	blaze --blazerc=/dev/null test -c opt --config=asan-fuzzer --test_strategy=local --test_sharding_strategy=disabled \
	--test_env=ENABLE_BLAZE_TEST_FUZZING=1 --test_arg=-runs=100 --test_arg=/tmp/testcase-6277726054776832 \
	//third_party/hunspell/fuzzers:dict_fuzzer
	```

	## Description
	The memory leak is caused by:
	- Some previous round allocated `aliasm[j]` successfully.
	- If later fails, then we free the entire `aliasm` and early return. But the original free memory code didn't correctly handle 2nd level of memory (`aliasm[j]`) allocated previously.

	This CL creates a new private method `free_aliasm` to handle all these cases.

	PRESUBMIT=passed
	BUG=280280659
	R=mghiware
	CC=tjbarron
	APPROVED=mghiware
	REQUIRED_REVIEW=1
	DELTA=42 (19 added, 17 deleted, 6 changed)
	DELTA_BY_EXTENSION=cxx=24,hxx=1
	OCL=538271164
	DIFFBASE=538018307
	FIG_CHANGESET=9414dae38fc69132c785e6029fb78b64f1c57847
	FIG_WORKSPACE=sungyc/153:icing
	MARKDOWN=true

	Affected files ...

	... //depot//src/hunspell/hashmgr.cxx#10 edit
	... //depot//src/hunspell/hashmgr.hxx#3 edit

	==== //depot//src/hunspell/hashmgr.cxx#9 - /google/src/files/541956676/depot//src/hunspell/hashmgr.cxx ====
	--- /google/src/files/541956399/depot//src/hunspell/hashmgr.cxx 2023-06-20 12:47:05.000000000 -0400
	+++ /google/src/files/541956676/depot//src/hunspell/hashmgr.cxx 2023-06-20 12:47:53.000000000 -0400
	@@ -68,15 +68,7 @@
	tablesize = 0;

	free_aliasf();
	- if (aliasm) {
	- for (int j = 0; j < (numaliasm); j++) {
	- if (aliasm[j]) {
	- free(aliasm[j]);
	- }
	- }
	- free(aliasm);
	- aliasm = NULL;
	- }
	+ free_aliasm();

	#ifndef OPENOFFICEORG
	#ifndef MOZILLA_CLIENT
	@@ -849,12 +841,13 @@
	case 1: {
	numaliasm = atoi(piece);
	if (numaliasm < 1) {
	+ free_aliasm();
	HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n", af->getlinenum());
	return 1;
	}
	aliasm = (char *) malloc(numaliasm sizeof(char *));
	if (!aliasm) {
	- numaliasm = 0;
	+ free_aliasm();
	return 1;
	}
	// Initialize all aliasm to NULL.
	@@ -869,9 +862,7 @@
	piece = mystrsep(&tp, 0);
	}
	if (np != 2) {
	- numaliasm = 0;
	- if (aliasm) free(aliasm);
	- aliasm = NULL;
	+ free_aliasm();
	HUNSPELL_WARNING(stderr, "error: line %d: missing data\n", af->getlinenum());
	return 1;
	}
	@@ -879,7 +870,10 @@
	/* now parse the numaliasm lines to read in the remainder of the table */
	char * nl = line;
	for (int j=0; j < numaliasm; j++) {
	- if (!(nl = af->getline())) return 1;
	+ if (!(nl = af->getline())) {
	+ free_aliasm();
	+ return 1;
	+ }
	mychomp(nl);
	tp = nl;
	i = 0;
	@@ -890,10 +884,8 @@
	switch(i) {
	case 0: {
	if (strncmp(piece,"AM",2) != 0) {
	+ free_aliasm();
	HUNSPELL_WARNING(stderr, "error: line %d: table is corrupt\n", af->getlinenum());
	- numaliasm = 0;
	- free(aliasm);
	- aliasm = NULL;
	return 1;
	}
	break;
	@@ -910,9 +902,7 @@
	}
	aliasm[j] = mystrdup(piece);
	if (!aliasm[j]) {
	- numaliasm = 0;
	- free(aliasm);
	- aliasm = NULL;
	+ free_aliasm();
	return 1;
	}
	break; }
	@@ -923,9 +913,7 @@
	piece = mystrsep(&tp, ' ');
	}
	if (!aliasm[j]) {
	- numaliasm = 0;
	- free(aliasm);
	- aliasm = NULL;
	+ free_aliasm();
	HUNSPELL_WARNING(stderr, "error: line %d: table is corrupt\n", af->getlinenum());
	return 1;
	}
	@@ -959,3 +947,16 @@
	}
	numaliasf = 0;
	}
	+
	+void HashMgr::free_aliasm() {
	+ if (aliasm) {
	+ for (int i = 0; i < (numaliasm); i++) {
	+ if (aliasm[i]) {
	+ free(aliasm[i]);
	+ }
	+ }
	+ free(aliasm);
	+ aliasm = NULL;
	+ }
	+ numaliasm = 0;
	+}
	==== //depot//src/hunspell/hashmgr.hxx#2 - /google/src/files/541956676/depot//src/hunspell/hashmgr.hxx ====
	--- /google/src/files/541956399/depot//src/hunspell/hashmgr.hxx 2023-06-20 12:47:05.000000000 -0400
	+++ /google/src/files/541956676/depot//src/hunspell/hashmgr.hxx 2023-06-20 12:47:53.000000000 -0400
	@@ -65,6 +65,7 @@
	int remove_forbidden_flag(const char * word);

	void free_aliasf();
	+ void free_aliasm();
	};

	#endif