[ovs-dev] [PATCH v3] lex: Fix stack underflow bug reported by Fuzz

[Yifeng Sun]

In previous code, if hexit == 0, then the boundary for 'out' is
not checked. This patch fixes it.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10710
Signed-off-by: Yifeng Sun <pkusunyifeng at gmail.com>
---
v1->v2: Fix email subject by adding [ovs-dev]
v2->v3: Fix the code to handle any number of leading zeros, thanks Ben!

 ovn/lib/lex.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ovn/lib/lex.c b/ovn/lib/lex.c
index 0514950de6bf..7a2ab4111e50 100644
--- a/ovn/lib/lex.c
+++ b/ovn/lib/lex.c
@@ -332,13 +332,15 @@ lex_parse_hex_integer(const char *start, size_t len, struct lex_token *token)
         if (hexit < 0) {
             lex_error(token, "Invalid syntax in hexadecimal constant.");
             return;
+        } else if (hexit) {
+            /* Check within loop to ignore any number of leading zeros. */
+            if (i / 2 >= sizeof token->value.u8) {
+                lex_error(token, "Hexadecimal constant requires more than "
+                          "%"PRIuSIZE" bits.", 8 * sizeof token->value.u8);
+                return;
+            }
+            out[-(i / 2)] |= i % 2 ? hexit << 4 : hexit;
         }
-        if (hexit && i / 2 >= sizeof token->value.u8) {
-            lex_error(token, "Hexadecimal constant requires more than "
-                      "%"PRIuSIZE" bits.", 8 * sizeof token->value.u8);
-            return;
-        }
-        out[-(i / 2)] |= i % 2 ? hexit << 4 : hexit;
     }
     token->format = LEX_F_HEXADECIMAL;
 }
-- 
2.7.4