nagai/fune
3
0
Fork 0
forked from mirrors/gecko-dev
Code Pull requests Activity

Bug 1825445: Ensure hunspell spell checker is not invoked with very long strings r=bholley,glandium

Browse source 
Differential Revision: https://phabricator.services.mozilla.com/D174541
This commit is contained in:
Shravan Narayan 2023-04-04 20:59:33 +00:00
parent d6481709e6
commit 4a3f703dab
4 changed files with 33 additions and 1 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

19
extensions/spellcheck/hunspell/glue/RLBoxHunspell.cpp
View file

@ -160,14 +160,26 @@ RLBoxHunspell::~RLBoxHunspell() {
mozHunspellCallbacks::Clear();
}
// Invoking hunspell with words larger than a certain size will cause the
// Hunspell sandbox to run out of memory. So we pick an arbitrary limit of
// 200000 here to ensure this doesn't happen.
static const size_t gWordSizeLimit = 200000;
int RLBoxHunspell::spell(const std::string& stdWord) {
MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread());
const int ok = 1;
if (stdWord.length() >= gWordSizeLimit) {
// Fail gracefully assuming the word is spelt correctly
return ok;
}
// Copy word into the sandbox
tainted_hunspell<char*> t_word = allocStrInSandbox(*mSandbox, stdWord);
if (!t_word) {
// Ran out of memory in the hunspell sandbox
// Fail gracefully assuming the word is spelt correctly
const int ok = 1;
return ok;
}
@ -189,6 +201,11 @@ const std::string& RLBoxHunspell::get_dict_encoding() const {
// sandbox, we return empty suggestion list
std::vector<std::string> RLBoxHunspell::suggest(const std::string& stdWord) {
MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread());
if (stdWord.length() >= gWordSizeLimit) {
return {};
}
// Copy word into the sandbox
tainted_hunspell<char*> t_word = allocStrInSandbox(*mSandbox, stdWord);
if (!t_word) {

12
extensions/spellcheck/hunspell/tests/crashtests/1825445.html Normal file
View file

@ -0,0 +1,12 @@
<html>
<p id="targetParagraph">
<script>
document.designMode = 'on';
function crash() {
for(var i=0; i<850; i++) { targetParagraph.insertAdjacentText("afterEnd", "S".repeat(8567)); }
}
crash();
</script>
</html>

1
extensions/spellcheck/hunspell/tests/crashtests/crashtests.list Normal file
View file

@ -0,0 +1 @@
load 1825445.html

2
testing/crashtest/crashtests.list
View file

@ -43,6 +43,8 @@ include ../../editor/composer/crashtests/crashtests.list
include ../../editor/libeditor/crashtests/crashtests.list
include ../../editor/txmgr/tests/crashtests/crashtests.list
include ../../extensions/spellcheck/hunspell/tests/crashtests/crashtests.list
include ../../gfx/tests/crashtests/crashtests.list
include ../../image/test/crashtests/crashtests.list