In previous code, if hexit == 0, then the boundary for 'out' is not checked. This patch fixes it.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10710 Signed-off-by: Yifeng Sun <[email protected]> --- v1->v2: Fix email subject by adding [ovs-dev] v2->v3: Fix the code to handle any number of leading zeros, thanks Ben! ovn/lib/lex.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ovn/lib/lex.c b/ovn/lib/lex.c index 0514950de6bf..7a2ab4111e50 100644 --- a/ovn/lib/lex.c +++ b/ovn/lib/lex.c @@ -332,13 +332,15 @@ lex_parse_hex_integer(const char *start, size_t len, struct lex_token *token) if (hexit < 0) { lex_error(token, "Invalid syntax in hexadecimal constant."); return; + } else if (hexit) { + /* Check within loop to ignore any number of leading zeros. */ + if (i / 2 >= sizeof token->value.u8) { + lex_error(token, "Hexadecimal constant requires more than " + "%"PRIuSIZE" bits.", 8 * sizeof token->value.u8); + return; + } + out[-(i / 2)] |= i % 2 ? hexit << 4 : hexit; } - if (hexit && i / 2 >= sizeof token->value.u8) { - lex_error(token, "Hexadecimal constant requires more than " - "%"PRIuSIZE" bits.", 8 * sizeof token->value.u8); - return; - } - out[-(i / 2)] |= i % 2 ? hexit << 4 : hexit; } token->format = LEX_F_HEXADECIMAL; } -- 2.7.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
