patches/45.lcs_string_length_fix.patch - hunspell - Git at Google

 Change 640274267 by sungyc@sungyc:fig-export-hunspell-7504-change-3:7518:citc on 2024/06/04 13:58:38

 	[hunspell][vulnerability fix] Fix incorrect string length for lcs algorithm

 	## Test plan
 	```
 	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=6268223149899776' > /tmp/testcase-6268223149899776 && \
 	blaze --blazerc=/dev/null test --config=fuzztest-msan \
 	  --test_strategy=local \
 	  --test_sharding_strategy=disabled \
 	  --test_env=FUZZTEST_REPLAY=/tmp/testcase-6268223149899776 \
 	  --test_filter=LLVMFuzzer.TestOneInput \
 	  //third_party/hunspell/fuzzers:suggestions_fuzzer
 	```

 	## Description
 	This bug is triggered when an error occurs in `u8_u16` and returns -1 for the length.
 	- We malloc `(m + 1) * (n + 1)` bytes in the following line. Since one of `m` or `n` is -1 now, we're calling `malloc(0)` here.
 	- According to the documentation, `malloc(0)` can return `NULL` or a valid non-null pointer (freeable). In our system, `malloc(0)` returns the latter.
 	- Later when returning to the caller, we do:
 	```
 	  i = m;
 	  j = n;
 	  while ((i != 0) && (j != 0)) {
 	    if (result[i*(n+1) + j] == LCS_UPLEFT)
 	    // ...
 	  }
 	```
 	and potentially causes not only invalid iterations (since i, j are decremented only and will underflow when starting with -1), but also invalid access for `result[...]`.

 	Therefore, we should do early return in `lcs` algorithm when getting length <= 0.

 	PRESUBMIT=passed
 	BUG=336187503
 	R=tjbarron
 	APPROVED=tjbarron
 	REQUIRED_REVIEW=1
 	DELTA=4 (4 added, 0 deleted, 0 changed)
 	DELTA_BY_EXTENSION=cxx=4
 	OCL=639874531
 	FIG_CHANGESET=4acb332f66fbf4c2c694f9af5bd370a928e27010
 	FIG_WORKSPACE=sungyc/7504:hunspell
 	MARKDOWN=true

 Affected files ...

 ... //depot//src/hunspell/suggestmgr.cxx#9 edit

 ==== //depot//src/hunspell/suggestmgr.cxx#8 - /google/src/files/640274267/depot//src/hunspell/suggestmgr.cxx ====
 --- /google/src/files/615029530/depot//src/hunspell/suggestmgr.cxx	2024-03-12 10:13:27.000000000 -0400
 +++ /google/src/files/640274267/depot//src/hunspell/suggestmgr.cxx	2024-06-04 16:58:38.000000000 -0400
 @@ -1969,6 +1969,10 @@
      m = strlen(s);
      n = strlen(s2);
    }
 +  if (m <= 0 || n <= 0) {
 +    *result = NULL;
 +    return;
 +  }
    c = (char *) malloc((m + 1) * (n + 1));
    b = (char *) malloc((m + 1) * (n + 1));
    if (!c || !b) {
	Change 640274267 by sungyc@sungyc:fig-export-hunspell-7504-change-3:7518:citc on 2024/06/04 13:58:38

	[hunspell][vulnerability fix] Fix incorrect string length for lcs algorithm

	## Test plan
	```
	sso_client -location 'https://clusterfuzz.corp.google.com/testcase-detail/download-testcase?id=6268223149899776' > /tmp/testcase-6268223149899776 && \
	blaze --blazerc=/dev/null test --config=fuzztest-msan \
	--test_strategy=local \
	--test_sharding_strategy=disabled \
	--test_env=FUZZTEST_REPLAY=/tmp/testcase-6268223149899776 \
	--test_filter=LLVMFuzzer.TestOneInput \
	//third_party/hunspell/fuzzers:suggestions_fuzzer
	```

	## Description
	This bug is triggered when an error occurs in `u8_u16` and returns -1 for the length.
	- We malloc `(m + 1) * (n + 1)` bytes in the following line. Since one of `m` or `n` is -1 now, we're calling `malloc(0)` here.
	- According to the documentation, `malloc(0)` can return `NULL` or a valid non-null pointer (freeable). In our system, `malloc(0)` returns the latter.
	- Later when returning to the caller, we do:
	```
	i = m;
	j = n;
	while ((i != 0) && (j != 0)) {
	if (result[i*(n+1) + j] == LCS_UPLEFT)
	// ...
	}
	```
	and potentially causes not only invalid iterations (since i, j are decremented only and will underflow when starting with -1), but also invalid access for `result[...]`.

	Therefore, we should do early return in `lcs` algorithm when getting length <= 0.

	PRESUBMIT=passed
	BUG=336187503
	R=tjbarron
	APPROVED=tjbarron
	REQUIRED_REVIEW=1
	DELTA=4 (4 added, 0 deleted, 0 changed)
	DELTA_BY_EXTENSION=cxx=4
	OCL=639874531
	FIG_CHANGESET=4acb332f66fbf4c2c694f9af5bd370a928e27010
	FIG_WORKSPACE=sungyc/7504:hunspell
	MARKDOWN=true

	Affected files ...

	... //depot//src/hunspell/suggestmgr.cxx#9 edit

	==== //depot//src/hunspell/suggestmgr.cxx#8 - /google/src/files/640274267/depot//src/hunspell/suggestmgr.cxx ====
	--- /google/src/files/615029530/depot//src/hunspell/suggestmgr.cxx 2024-03-12 10:13:27.000000000 -0400
	+++ /google/src/files/640274267/depot//src/hunspell/suggestmgr.cxx 2024-06-04 16:58:38.000000000 -0400
	@@ -1969,6 +1969,10 @@
	m = strlen(s);
	n = strlen(s2);
	}
	+ if (m <= 0 \|\| n <= 0) {
	+ *result = NULL;
	+ return;
	+ }
	c = (char ) malloc((m + 1) (n + 1));
	b = (char ) malloc((m + 1) (n + 1));
	if (!c \|\| !b) {