[Libreoffice-bugs] [Bug 126311] New: SPELL: af_ZA.aff quietly broken

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Tue Jul 9 15:04:09 UTC 2019 

https://bugs.documentfoundation.org/show_bug.cgi?id=126311

            Bug ID: 126311
           Summary: SPELL: af_ZA.aff quietly broken
           Product: LibreOffice
           Version: 6.3.0.1 rc
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: Linguistic
          Assignee: libreoffice-bugs at lists.freedesktop.org
          Reporter: elmar.braun at sh-p.de
                CC: sophi at libreoffice.org

Description:
The file af_ZA.aff from the Afrikaans dictionary contains lines such as:

SFX J   0  etjie   ^.{1,3}[aeiouyëê]ng

https://cgit.freedesktop.org/libreoffice/dictionaries/tree/af_ZA/af_ZA.aff#n144

As far as I can gather from hunspell's documentation, that last string permits
a regex-*like* format, but not a full regex. Specifically the "^" anchor
appears to be unsupported, and the "^" character only recognized for negated
classes such as "[^abc]".

I've tried loading that dictionary with hunspell 1.7.0, compiled with MSVC
2015.3, with STL iterator debugging enabled. The iterator debugging asserts on
line 4360 of hunspell's affixmgr.cxx while processing the above SFX statement.

https://github.com/hunspell/hunspell/blob/v1.7.0/src/hunspell/affixmgr.cxx#L4360

Hunspell here uses a reverse_iterator to iterate over an already reversed copy
of the string "^.{1,3}[aeiouyëê]ng", and attempts to inspect the character
preceding the "^", which would dereference the invalid iterator
string.rbegin()-1.

Of course a release build would quietly do the out-of-bounds access. I wasn't
able to force any misbehavior in 6.3.0.1 (which, unlike 6.2.5, contains the
broken dictionary). But I don't speak Afrikaans, so I can't ascertain to what
degree the dictionary is actually doing what it's supposed to do.

Steps to Reproduce:
1. build hunspell with iterator debugging
2. load af_ZA dictionary

Actual Results:
iterator debugging reports out-of-bounds access

Expected Results:
loading dictionary succeeds


Reproducible: Always


User Profile Reset: No



Additional Info:

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20190709/afced6c9/attachment.html>

More information about the Libreoffice-bugs mailing list