Fix Index-out-of-bounds in IntegerMatcher::UpdateTablesForFeature

This fixes issue #2299, an issue which was already reported by static code analyzers and now by OSS-Fuzz, see details at https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13597. The Tesseract code assigns an address which is out-of-bounds to a pointer variable, but increments that variable later. So this is a false positive. Change the code nevertheless to satisfy OSS-Fuzz. Signed-off-by: Stefan Weil <sw@weilnetz.de>
tesseract-ocr · Mar 10, 2019 · b3aff7d · b3aff7d
1 parent 91d0a71
commit b3aff7d
Showing 1 changed file with 9 additions and 11 deletions.
diff --git a/src/classify/intmatcher.cpp b/src/classify/intmatcher.cpp
@@ -767,8 +767,6 @@ int IntegerMatcher::UpdateTablesForFeature(
   uint8_t proto_byte;
   int32_t proto_word_offset;
   int32_t proto_offset;
-  uint8_t config_byte;
-  int32_t config_offset;
   PROTO_SET ProtoSet;
   uint32_t *ProtoPrunerPtr;
   INT_PROTO Proto;
@@ -777,7 +775,6 @@ int IntegerMatcher::UpdateTablesForFeature(
   uint32_t XFeatureAddress;
   uint32_t YFeatureAddress;
   uint32_t ThetaFeatureAddress;
-  uint8_t* UINT8Pointer;
   int ProtoIndex;
   uint8_t Temp;
   int* IntPointer;
@@ -850,21 +847,22 @@ int IntegerMatcher::UpdateTablesForFeature(
 
           ConfigWord &= *ConfigMask;
 
-          UINT8Pointer = tables->feature_evidence_ - 8;
-          config_byte = 0;
+          uint8_t feature_evidence_index = 0;
+          uint8_t config_byte = 0;
           while (ConfigWord != 0 || config_byte != 0) {
             while (config_byte == 0) {
               config_byte = ConfigWord & 0xff;
               ConfigWord >>= 8;
-              UINT8Pointer += 8;
+              feature_evidence_index += 8;
             }
-            config_offset = offset_table[config_byte];
+            const uint8_t config_offset =
+              offset_table[config_byte] + feature_evidence_index - 8;
             config_byte = next_table[config_byte];
-            if (Evidence > UINT8Pointer[config_offset])
-              UINT8Pointer[config_offset] = Evidence;
+            if (Evidence > tables->feature_evidence_[config_offset])
+              tables->feature_evidence_[config_offset] = Evidence;
           }
 
-          UINT8Pointer =
+          uint8_t* UINT8Pointer =
             &(tables->proto_evidence_[ActualProtoNum + proto_offset][0]);
           for (ProtoIndex =
             ClassTemplate->ProtoLengths[ActualProtoNum + proto_offset];
@@ -888,7 +886,7 @@ int IntegerMatcher::UpdateTablesForFeature(
   }
 
   IntPointer = tables->sum_feature_evidence_;
-  UINT8Pointer = tables->feature_evidence_;
+  uint8_t* UINT8Pointer = tables->feature_evidence_;
   int SumOverConfigs = 0;
   for (ConfigNum = ClassTemplate->NumConfigs; ConfigNum > 0; ConfigNum--) {
     int evidence = *UINT8Pointer++;