blob: 7a107e2abd54afe46a84fb78990f7268dc3ee5ab [file] [log] [blame] [edit]
Change 623201869 by sungyc@sungyc:fig-export-icing-153-change-481:7428:citc on 2024/04/09 10:04:20
[hunspell][vulnerability fix] Fix heap buffer overflow error
## Test plan
```
blaze --blazerc=/dev/null test -c opt --config=fuzztest --copt=-DNDEBUG \
--test_strategy=local \
--test_sharding_strategy=disabled \
--test_env=FUZZTEST_REPLAY=/tmp/testcase-4897268770078720 \
--test_filter=LLVMFuzzer.TestOneInput \
//third_party/hunspell/fuzzers:dict_fuzzer
```
## Description
Add check for `s2` to make sure `s2` doesn't go out of bound.
PRESUBMIT=passed
BUG=326385709
R=mghiware
APPROVED=mghiware
REQUIRED_REVIEW=1
DELTA=1 (0 added, 0 deleted, 1 changed)
DELTA_BY_EXTENSION=cxx=1
OCL=621828139
DIFFBASE=621820692
FIG_CHANGESET=5c6280f36dbdf8e1365a5a5b3111be309251be25
FIG_WORKSPACE=sungyc/153:icing
MARKDOWN=true
Affected files ...
... //depot//src/hunspell/affixmgr.cxx#21 edit
==== //depot//src/hunspell/affixmgr.cxx#20 - /google/src/files/623201869/depot//src/hunspell/affixmgr.cxx ====
--- /google/src/files/623201281/depot//src/hunspell/affixmgr.cxx 2024-04-09 13:03:04.000000000 -0400
+++ /google/src/files/623201869/depot//src/hunspell/affixmgr.cxx 2024-04-09 13:04:20.000000000 -0400
@@ -1088,7 +1088,7 @@
// return 1 if s1 is a leading subset of s2 (dots are for infixes)
inline int AffixMgr::isSubset(const char * s1, const char * s2)
{
- while (((*s1 == *s2) || (*s1 == '.')) && (*s1 != '\0')) {
+ while (((*s1 == *s2) || (*s1 == '.')) && (*s1 != '\0') && (*s2 != '\0')) {
s1++;
s2++;
}