In previous code, if hexit == 0, then the boundary for 'out' is not checked. This patch fixes it and also takes the checking out of loop to improve loop's performance.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10710 Signed-off-by: Yifeng Sun <pkusunyif...@gmail.com> --- v1->v2: Fix email subject by adding [ovs-dev] ovn/lib/lex.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ovn/lib/lex.c b/ovn/lib/lex.c index 0514950de6bf..269267730526 100644 --- a/ovn/lib/lex.c +++ b/ovn/lib/lex.c @@ -327,17 +327,18 @@ lex_parse_hex_integer(const char *start, size_t len, struct lex_token *token) const char *in = start + (len - 1); uint8_t *out = token->value.u8 + (sizeof token->value.u8 - 1); + if ((len - 1) / 2 >= sizeof token->value.u8) { + lex_error(token, "Hexadecimal constant requires more than " + "%"PRIuSIZE" bits.", 8 * sizeof token->value.u8); + return; + } + for (int i = 0; i < len; i++) { int hexit = hexit_value(in[-i]); if (hexit < 0) { lex_error(token, "Invalid syntax in hexadecimal constant."); return; } - if (hexit && i / 2 >= sizeof token->value.u8) { - lex_error(token, "Hexadecimal constant requires more than " - "%"PRIuSIZE" bits.", 8 * sizeof token->value.u8); - return; - } out[-(i / 2)] |= i % 2 ? hexit << 4 : hexit; } token->format = LEX_F_HEXADECIMAL; -- 2.7.4 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev