From b3aff7d6335c3aa4aed68d188cc37ed265958ecd Mon Sep 17 00:00:00 2001
From: Stefan Weil <sw@weilnetz.de>
Date: Sun, 10 Mar 2019 18:26:40 +0100
Subject: [PATCH] Fix Index-out-of-bounds in
 IntegerMatcher::UpdateTablesForFeature

This fixes issue #2299, an issue which was already reported by
static code analyzers and now by OSS-Fuzz, see details at
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13597.

The Tesseract code assigns an address which is out-of-bounds to a pointer
variable, but increments that variable later. So this is a false positive.

Change the code nevertheless to satisfy OSS-Fuzz.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
---
 src/classify/intmatcher.cpp | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/src/classify/intmatcher.cpp b/src/classify/intmatcher.cpp
index 7740d269a8..3b1be4e543 100644
--- a/src/classify/intmatcher.cpp
+++ b/src/classify/intmatcher.cpp
@@ -767,8 +767,6 @@ int IntegerMatcher::UpdateTablesForFeature(
   uint8_t proto_byte;
   int32_t proto_word_offset;
   int32_t proto_offset;
-  uint8_t config_byte;
-  int32_t config_offset;
   PROTO_SET ProtoSet;
   uint32_t *ProtoPrunerPtr;
   INT_PROTO Proto;
@@ -777,7 +775,6 @@ int IntegerMatcher::UpdateTablesForFeature(
   uint32_t XFeatureAddress;
   uint32_t YFeatureAddress;
   uint32_t ThetaFeatureAddress;
-  uint8_t* UINT8Pointer;
   int ProtoIndex;
   uint8_t Temp;
   int* IntPointer;
@@ -850,21 +847,22 @@ int IntegerMatcher::UpdateTablesForFeature(
 
           ConfigWord &= *ConfigMask;
 
-          UINT8Pointer = tables->feature_evidence_ - 8;
-          config_byte = 0;
+          uint8_t feature_evidence_index = 0;
+          uint8_t config_byte = 0;
           while (ConfigWord != 0 || config_byte != 0) {
             while (config_byte == 0) {
               config_byte = ConfigWord & 0xff;
               ConfigWord >>= 8;
-              UINT8Pointer += 8;
+              feature_evidence_index += 8;
             }
-            config_offset = offset_table[config_byte];
+            const uint8_t config_offset =
+              offset_table[config_byte] + feature_evidence_index - 8;
             config_byte = next_table[config_byte];
-            if (Evidence > UINT8Pointer[config_offset])
-              UINT8Pointer[config_offset] = Evidence;
+            if (Evidence > tables->feature_evidence_[config_offset])
+              tables->feature_evidence_[config_offset] = Evidence;
           }
 
-          UINT8Pointer =
+          uint8_t* UINT8Pointer =
             &(tables->proto_evidence_[ActualProtoNum + proto_offset][0]);
           for (ProtoIndex =
             ClassTemplate->ProtoLengths[ActualProtoNum + proto_offset];
@@ -888,7 +886,7 @@ int IntegerMatcher::UpdateTablesForFeature(
   }
 
   IntPointer = tables->sum_feature_evidence_;
-  UINT8Pointer = tables->feature_evidence_;
+  uint8_t* UINT8Pointer = tables->feature_evidence_;
   int SumOverConfigs = 0;
   for (ConfigNum = ClassTemplate->NumConfigs; ConfigNum > 0; ConfigNum--) {
     int evidence = *UINT8Pointer++;