Don't read past end of string in Guess ctor

<https://ci.libreoffice.org//job/lo_ubsan/1082/>: > ==26422==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000accc72 at pc 0x2ae43e63f4b6 bp 0x2ae43e600510 sp 0x2ae43e600508 > READ of size 1 at 0x604000accc72 thread T70 (cppu_threadpool) > #0 0x2ae43e63f4b5 in Guess::Guess(char const*) /lingucomponent/source/languageguessing/guess.cxx:95:28 > #1 0x2ae43e667f2f in SimpleGuesser::GetManagedLanguages(char) /lingucomponent/source/languageguessing/simpleguesser.cxx:169:19 > #2 0x2ae43e668420 in SimpleGuesser::GetAvailableLanguages() /lingucomponent/source/languageguessing/simpleguesser.cxx:179:12 > #3 0x2ae43e64a18e in LangGuess_Impl::getEnabledLanguages() /lingucomponent/source/languageguessing/guesslang.cxx:229:24 [...] > 0x604000accc72 is located 0 bytes to the right of 34-byte region [0x604000accc50,0x604000accc72) > allocated by thread T70 (cppu_threadpool) here: [...] > #7 0x2ae43e65350a in std::string::operator+=(char const*) /home/tdf/lode/opt_private/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/../../../../include/c++/5.2.0/bits/basic_string.h:3355:16 > #8 0x2ae43e667e6e in SimpleGuesser::GetManagedLanguages(char) /lingucomponent/source/languageguessing/simpleguesser.cxx:168:21 > #9 0x2ae43e668420 in SimpleGuesser::GetAvailableLanguages() /lingucomponent/source/languageguessing/simpleguesser.cxx:179:12 > #10 0x2ae43e64a18e in LangGuess_Impl::getEnabledLanguages() /lingucomponent/source/languageguessing/guesslang.cxx:229:24 [...] shows, during UITest_librelogo, the Guess ctor making wrong assumptions about the structure of guess_str and skipping over the terminating NUL. Locally I could see that while most inputs do have the expected syntax of starting with "[" and containing two "-", one input is indeed just "[haw-utf8" without a second "-". I don't know where the strings passed into the Guess ctor in the two places in lingucomponent/source/languageguessing/simpleguesser.cxx ultimately come from, and what their guaranteed syntax and their semantics is. So from the existing code and the non--well-formed "[haw-utf8" sample (where the second segment shall apparently designate an encoding, not a country), construct rules how to robustly parse any input into potential language/country/encoding parts. (What is obvious from the call sites is that for one each input will start with "[", and for another the item to parse need neither be "]"- nor NUL-terminated.) (Guess::encoding_str and the local enc variable have effectively been unused ever since the code's introduction in 07628119 "INTEGRATION: CWS languageguessing". Guess::encoding_str, but not the local enc variable, got later removed with b275246c "loplugin:unusedfields in formula..registry".) Change-Id: Icbedc05ed5b119ee4efbc3118cc17076a4d80c74 Reviewed-on: https://gerrit.libreoffice.org/62390 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <sbergman@redhat.com>

Don't read past end of string in Guess ctor
<https://ci.libreoffice.org//job/lo_ubsan/1082/>: > ==26422==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000accc72 at pc 0x2ae43e63f4b6 bp 0x2ae43e600510 sp 0x2ae43e600508 > READ of size 1 at 0x604000accc72 thread T70 (cppu_threadpool) > #0 0x2ae43e63f4b5 in Guess::Guess(char const*) /lingucomponent/source/languageguessing/guess.cxx:95:28 > #1 0x2ae43e667f2f in SimpleGuesser::GetManagedLanguages(char) /lingucomponent/source/languageguessing/simpleguesser.cxx:169:19 > #2 0x2ae43e668420 in SimpleGuesser::GetAvailableLanguages() /lingucomponent/source/languageguessing/simpleguesser.cxx:179:12 > #3 0x2ae43e64a18e in LangGuess_Impl::getEnabledLanguages() /lingucomponent/source/languageguessing/guesslang.cxx:229:24 [...] > 0x604000accc72 is located 0 bytes to the right of 34-byte region [0x604000accc50,0x604000accc72) > allocated by thread T70 (cppu_threadpool) here: [...] > #7 0x2ae43e65350a in std::string::operator+=(char const*) /home/tdf/lode/opt_private/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/../../../../include/c++/5.2.0/bits/basic_string.h:3355:16 > #8 0x2ae43e667e6e in SimpleGuesser::GetManagedLanguages(char) /lingucomponent/source/languageguessing/simpleguesser.cxx:168:21 > #9 0x2ae43e668420 in SimpleGuesser::GetAvailableLanguages() /lingucomponent/source/languageguessing/simpleguesser.cxx:179:12 > #10 0x2ae43e64a18e in LangGuess_Impl::getEnabledLanguages() /lingucomponent/source/languageguessing/guesslang.cxx:229:24 [...] shows, during UITest_librelogo, the Guess ctor making wrong assumptions about the structure of guess_str and skipping over the terminating NUL. Locally I could see that while most inputs do have the expected syntax of starting with "[" and containing two "-", one input is indeed just "[haw-utf8" without a second "-". I don't know where the strings passed into the Guess ctor in the two places in lingucomponent/source/languageguessing/simpleguesser.cxx ultimately come from, and what their guaranteed syntax and their semantics is. So from the existing code and the non--well-formed "[haw-utf8" sample (where the second segment shall apparently designate an encoding, not a country), construct rules how to robustly parse any input into potential language/country/encoding parts. (What is obvious from the call sites is that for one each input will start with "[", and for another the item to parse need neither be "]"- nor NUL-terminated.) (Guess::encoding_str and the local enc variable have effectively been unused ever since the code's introduction in 07628119 "INTEGRATION: CWS languageguessing". Guess::encoding_str, but not the local enc variable, got later removed with b275246c "loplugin:unusedfields in formula..registry".) Change-Id: Icbedc05ed5b119ee4efbc3118cc17076a4d80c74 Reviewed-on: https://gerrit.libreoffice.org/62390 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
31a8d9c7 · Stephan Bergmann · 39d8e5e5 · 31a8d9c7
Kaydet (Commit) 31a8d9c7 authored Eki 26, 2018 tarafından Stephan Bergmann
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 39 deletions

guess.cxx lingucomponent/source/languageguessing/guess.cxx +36 -39

No files found.
--- a/lingucomponent/source/languageguessing/guess.cxx
+++ b/lingucomponent/source/languageguessing/guess.cxx
@@ -17,6 +17,9 @@
 *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
 */
+#include <sal/config.h>
+#include <cassert>
 #include <iostream>
 #include <string.h>
@@ -39,11 +42,6 @@
 using namespace std;
-static bool isSeparator(const char c){
-    return c == GUESS_SEPARATOR_OPEN || c == GUESS_SEPARATOR_SEP || c == GUESS_SEPARATOR_CLOSE || c == '\0';
-}
 Guess::Guess()
    : language_str(DEFAULT_LANGUAGE)
    , country_str(DEFAULT_COUNTRY)
@@ -59,48 +57,47 @@ Guess::Guess(const char * guess_str)
    : language_str(DEFAULT_LANGUAGE)
    , country_str(DEFAULT_COUNTRY)
 {
-    string lang;
-    string country;
-    string enc;
    //if the guess is not like "UNKNOWN" or "SHORT", go into the brackets
    if(strcmp(guess_str + 1, TEXTCAT_RESULT_UNKNOWN_STR) != 0
       &&
       strcmp(guess_str + 1, TEXTCAT_RESULT_SHORT_STR) != 0)
    {
+        // From how this ctor is called from SimpleGuesser::GuessLanguage and
-        int current_pointer = 0;
+        // SimpleGuesser::GetManagedLanguages in
+        // lingucomponent/source/languageguessing/simpleguesser.cxx, guess_str must start with "[":
-        //this is to go to the first char of the guess string ( the '[' of "[en-US-utf8]" )
+        assert(guess_str[0] == GUESS_SEPARATOR_OPEN);
-        while(!isSeparator(guess_str[current_pointer])){
+        auto const start = guess_str + 1;
-            current_pointer++;
+        // Only look at the prefix of guess_str, delimited by the next "]" or "[" or end-of-string;
+        // split it into at most three segments separated by "-" (where excess occurrences of "-"
+        // would become part of the third segment), like "en-US-utf8"; the first segment denotes the
+        // language; if there are three segments, the second denotes the country and the third the
+        // encoding; otherwise, the second segment, if any (e.g., in "haw-utf8"), denotes the
+        // encoding:
+        char const * dash1 = nullptr;
+        char const * dash2 = nullptr;
+        auto p = start;
+        for (;; ++p) {
+            auto const c = *p;
+            if (c == '\0' || c == GUESS_SEPARATOR_OPEN || c == GUESS_SEPARATOR_CLOSE) {
+                break;
+            }
+            if (c == GUESS_SEPARATOR_SEP) {
+                if (dash1 == nullptr) {
+                    dash1 = p;
+                } else {
+                    dash2 = p;
+                    // The encoding is ignored, so we can stop as soon as we found the second "-":
+                    break;
+                }
+            }
        }
-        current_pointer++;
+        auto const langLen = (dash1 == nullptr ? p : dash1) - start;
+        if (langLen != 0) { // if not we use the default value
-        //this is to pick up the language ( the "en" from "[en-US-utf8]" )
+            language_str.assign(start, langLen);
-        while(!isSeparator(guess_str[current_pointer])){
-            lang+=guess_str[current_pointer];
-            current_pointer++;
-        }
-        current_pointer++;
-        //this is to pick up the country ( the "US" from "[en-US-utf8]" )
-        while(!isSeparator(guess_str[current_pointer])){
-            country+=guess_str[current_pointer];
-            current_pointer++;
        }
-        current_pointer++;
+        if (dash2 != nullptr) {
+            country_str.assign(dash1 + 1, dash2 - (dash1 + 1));
-        //this is to pick up the encoding ( the "utf8" from "[en-US-utf8]" )
-        while(!isSeparator(guess_str[current_pointer])){
-            enc+=guess_str[current_pointer];
-            current_pointer++;
-        }
-        if(!lang.empty()){//if not we use the default value
-            language_str=lang;
        }
-        country_str=country;
    }
 }