libselinux: label_file: fix potential read past buffer in spec_hasMetaChars

An illegal regex may end with a single \ followed by nul. This could cause us to search past the end of the character array. The loop formation looks like so: c = regex_str; len = strlen(c); end = c + len; while (c != end) { switch (*c) { ... case '\\': /* skip the next character */ c++; break; ... } c++; } If the \ is the last character then we will increment c and break from the switch. The while loop will then increment c. So now c == end+1. This means we will keep running into infinity and beyond! Easy fix. Make the loop check (c < end). Thus even if we jump past end, we still exit the loop. Signed-off-by: Eric Paris <eparis@redhat.com>
2012-08-27 13:27:53 -04:00 · 2012-08-27 13:27:53 -04:00 · dd61029c54
commit dd61029c54
parent 48682e2853
1 changed files with 1 additions and 1 deletions
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@ -88,7 +88,7 @@ static inline void spec_hasMetaChars(struct spec *spec)

 	/* Look at each character in the RE specification string for a
 	 * meta character. Return when any meta character reached. */
-	while (c != end) {
+	while (c < end) {
 		switch (*c) {
 		case '.':
 		case '^':