patches/35.index_boundary.patch - hunspell - Git at Google

 Change 613323179 by sungyc@sungyc:fig-export-icing-153-change-472:7338:citc on 2024/03/06 13:29:53

 	[hunspell][vulnerability fix] Add index boundary check to avoid buffer overflow or use-of-uninitialized-value error
 	## Test plan
 	```
 	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=5674120459649024' > /tmp/testcase-5674120459649024 && \
 	blaze --blazerc=/dev/null test --config=fuzztest-msan \
 	  --test_strategy=local \
 	  --test_sharding_strategy=disabled \
 	  --test_env=FUZZTEST_REPLAY=/tmp/testcase-5674120459649024 \
 	  --test_filter=LLVMFuzzer.TestOneInput \
 	  //third_party/hunspell/fuzzers:suggestions_fuzzer
 	```

 	## Description
 	When setting `cmin` and `cmax`, it is possible that they go out of bound (not in range `[0, len - 1]`), which may potentially cause buffer overflow error, or using uninitialized value of `word[*cmin]`/`word[*cmax]`.

 	PRESUBMIT=passed
 	BUG=326368180
 	R=mghiware
 	APPROVED=mghiware
 	REQUIRED_REVIEW=1
 	DELTA=4 (0 added, 0 deleted, 4 changed)
 	DELTA_BY_EXTENSION=cxx=4
 	OCL=612513824
 	FIG_CHANGESET=318a0cff97e309dceb0197b75cce97b385d4a968
 	FIG_WORKSPACE=sungyc/153:icing
 	MARKDOWN=true

 Affected files ...

 ... //depot//src/hunspell/affixmgr.cxx#16 edit

 ==== //depot//src/hunspell/affixmgr.cxx#15 - /google/src/files/613323179/depot//src/hunspell/affixmgr.cxx ====
 --- /google/src/files/583480615/depot//src/hunspell/affixmgr.cxx	2023-11-17 16:59:58.000000000 -0500
 +++ /google/src/files/613323179/depot//src/hunspell/affixmgr.cxx	2024-03-06 16:29:53.000000000 -0500
 @@ -1508,11 +1508,11 @@
  void AffixMgr::setcminmax(int * cmin, int * cmax, const char * word, int len) {
      if (utf8) {
          int i;
 -        for (*cmin = 0, i = 0; (i < cpdmin) && word[*cmin]; i++) {
 -          for ((*cmin)++; (word[*cmin] & 0xc0) == 0x80; (*cmin)++);
 +        for (*cmin = 0, i = 0; (i < cpdmin) && *cmin < len && word[*cmin]; i++) {
 +          for ((*cmin)++; *cmin < len && (word[*cmin] & 0xc0) == 0x80; (*cmin)++);
          }
 -        for (*cmax = len, i = 0; (i < (cpdmin - 1)) && *cmax; i++) {
 -          for ((*cmax)--; (word[*cmax] & 0xc0) == 0x80; (*cmax)--);
 +        for (*cmax = len, i = 0; (i < (cpdmin - 1)) && *cmax > 0; i++) {
 +          for ((*cmax)--; *cmax > 0 && (word[*cmax] & 0xc0) == 0x80; (*cmax)--);
          }
      } else {
          *cmin = cpdmin;
	Change 613323179 by sungyc@sungyc:fig-export-icing-153-change-472:7338:citc on 2024/03/06 13:29:53

	[hunspell][vulnerability fix] Add index boundary check to avoid buffer overflow or use-of-uninitialized-value error
	## Test plan
	```
	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=5674120459649024' > /tmp/testcase-5674120459649024 && \
	blaze --blazerc=/dev/null test --config=fuzztest-msan \
	--test_strategy=local \
	--test_sharding_strategy=disabled \
	--test_env=FUZZTEST_REPLAY=/tmp/testcase-5674120459649024 \
	--test_filter=LLVMFuzzer.TestOneInput \
	//third_party/hunspell/fuzzers:suggestions_fuzzer
	```

	## Description
	When setting `cmin` and `cmax`, it is possible that they go out of bound (not in range `[0, len - 1]`), which may potentially cause buffer overflow error, or using uninitialized value of `word[cmin]`/`word[cmax]`.

	PRESUBMIT=passed
	BUG=326368180
	R=mghiware
	APPROVED=mghiware
	REQUIRED_REVIEW=1
	DELTA=4 (0 added, 0 deleted, 4 changed)
	DELTA_BY_EXTENSION=cxx=4
	OCL=612513824
	FIG_CHANGESET=318a0cff97e309dceb0197b75cce97b385d4a968
	FIG_WORKSPACE=sungyc/153:icing
	MARKDOWN=true

	Affected files ...

	... //depot//src/hunspell/affixmgr.cxx#16 edit

	==== //depot//src/hunspell/affixmgr.cxx#15 - /google/src/files/613323179/depot//src/hunspell/affixmgr.cxx ====
	--- /google/src/files/583480615/depot//src/hunspell/affixmgr.cxx 2023-11-17 16:59:58.000000000 -0500
	+++ /google/src/files/613323179/depot//src/hunspell/affixmgr.cxx 2024-03-06 16:29:53.000000000 -0500
	@@ -1508,11 +1508,11 @@
	void AffixMgr::setcminmax(int * cmin, int * cmax, const char * word, int len) {
	if (utf8) {
	int i;
	- for (cmin = 0, i = 0; (i < cpdmin) && word[cmin]; i++) {
	- for ((cmin)++; (word[cmin] & 0xc0) == 0x80; (*cmin)++);
	+ for (cmin = 0, i = 0; (i < cpdmin) && cmin < len && word[*cmin]; i++) {
	+ for ((cmin)++; cmin < len && (word[cmin] & 0xc0) == 0x80; (cmin)++);
	}
	- for (cmax = len, i = 0; (i < (cpdmin - 1)) && cmax; i++) {
	- for ((cmax)--; (word[cmax] & 0xc0) == 0x80; (*cmax)--);
	+ for (cmax = len, i = 0; (i < (cpdmin - 1)) && cmax > 0; i++) {
	+ for ((cmax)--; cmax > 0 && (word[cmax] & 0xc0) == 0x80; (cmax)--);
	}
	} else {
	*cmin = cpdmin;