fix: out-of-bounds read in NumericUnkMaker::checkPeriod for trailing digit+period

eiennohito · eiennohito · commit 0126cbde5de4 · 2026-04-17T09:43:03.000+09:00
`checkPeriod` bounded the lookahead with `pos + 1 < codepoints.size()`, but the index it actually read was `posPeriod + 1 = start + pos + 1`. On the second pass of `spawnNodes` (start > 0) the two diverge, so inputs like `１０．` or `ほげ４．` read one past the end of the codepoint vector and caused the crash reported in #157. Bound the lookahead against the absolute index instead. Dropped the now-dead `pos + 1` check so the condition reflects what is actually being guarded. Added regression tests for `１０．` and `ほげ４．`; both abort on the prior code under libstdc++ debug mode / ASan. Closes #157.
diff --git a/src/core/analysis/numeric_creator.cc b/src/core/analysis/numeric_creator.cc
@@ -245,7 +245,7 @@ size_t NumericUnkMaker::checkPeriod(const CodepointStorage &codepoints,
   if (pos == 0) return 0;
   if (!codepoints[posPeriod].hasClass(PeriodClass)) return 0;
   if (!codepoints[posPeriod - 1].hasClass(charClass_)) return 0;
-  if (pos + 1 < codepoints.size() &&
+  if (posPeriod + 1 < codepoints.size() &&
       codepoints[posPeriod + 1].hasClass(charClass_))
     return 1;
   return 0;
diff --git a/src/core/analysis/numeric_creator_test.cc b/src/core/analysis/numeric_creator_test.cc
@@ -243,6 +243,27 @@ TEST_CASE("do not make numeric unk nodes ends with period") {
   CHECK(env.numNodeSeeds() == 1);
 }
 
+// Regression for ku-nlp/jumanpp#157: trailing digit+period caused a read
+// past the end of the codepoint vector during the second spawnNodes pass
+// (start > 0), because checkPeriod bounded the lookahead against `pos`
+// instead of the absolute position `start + pos`.
+TEST_CASE("multi-digit number followed by trailing period does not crash") {
+  NumericTestEnv env{"x,l1\nほげ,l2\n"};
+  env.analyze("１０．");
+  CHECK(env.contains("１０", 0, "l1"));
+  CHECK(env.contains("０", 1, "l1"));
+  CHECK(!env.contains("１０．", 0, "l1"));
+  CHECK(!env.contains("０．", 1, "l1"));
+  CHECK(env.numNodeSeeds() == 2);
+}
+
+TEST_CASE("digit+period preceded by non-numeric context does not crash") {
+  NumericTestEnv env{"x,l1\nほげ,l2\n"};
+  env.analyze("ほげ４．");
+  CHECK(env.contains("４", 2, "l1"));
+  CHECK(!env.contains("４．", 2, "l1"));
+}
+
 TEST_CASE("do not make numeric unk nodes starts with period") {
   NumericTestEnv env{"x,l1\nほげ,l2\n"};
   env.analyze("．４");
