[ovs-dev] [PATCH v3] lex: Fix stack underflow bug reported by Fuzz
Yifeng Sun
pkusunyifeng at gmail.com
Tue Oct 2 20:20:42 UTC 2018
In previous code, if hexit == 0, then the boundary for 'out' is
not checked. This patch fixes it.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10710
Signed-off-by: Yifeng Sun <pkusunyifeng at gmail.com>
---
v1->v2: Fix email subject by adding [ovs-dev]
v2->v3: Fix the code to handle any number of leading zeros, thanks Ben!
ovn/lib/lex.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/ovn/lib/lex.c b/ovn/lib/lex.c
index 0514950de6bf..7a2ab4111e50 100644
--- a/ovn/lib/lex.c
+++ b/ovn/lib/lex.c
@@ -332,13 +332,15 @@ lex_parse_hex_integer(const char *start, size_t len, struct lex_token *token)
if (hexit < 0) {
lex_error(token, "Invalid syntax in hexadecimal constant.");
return;
+ } else if (hexit) {
+ /* Check within loop to ignore any number of leading zeros. */
+ if (i / 2 >= sizeof token->value.u8) {
+ lex_error(token, "Hexadecimal constant requires more than "
+ "%"PRIuSIZE" bits.", 8 * sizeof token->value.u8);
+ return;
+ }
+ out[-(i / 2)] |= i % 2 ? hexit << 4 : hexit;
}
- if (hexit && i / 2 >= sizeof token->value.u8) {
- lex_error(token, "Hexadecimal constant requires more than "
- "%"PRIuSIZE" bits.", 8 * sizeof token->value.u8);
- return;
- }
- out[-(i / 2)] |= i % 2 ? hexit << 4 : hexit;
}
token->format = LEX_F_HEXADECIMAL;
}
--
2.7.4
More information about the dev
mailing list