libselinux: ensure strlen() is not called on NULL

When compile_regex() calls regex_prepare_data() and this function fails
in the following condition:

    *regex = regex_data_create();
    if (!(*regex))
        return -1;

... error_data has been zero-ed and compile_regex() calls:

    regex_format_error(&error_data,
        regex_error_format_buffer,
        sizeof(regex_error_format_buffer));

This leads to a call to strlen(error_data->error_buffer), where
error_data->error_buffer is NULL.

Avoid this by checking that error_data->error_buffer is not NULL before
trying to format it.

This issue has been found using clang's static analyzer:
https://337-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-09-01-181851-6152-1/report-0b122b.html#EndPath

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2019-09-20 07:59:54 +02:00 committed by Stephen Smalley
parent b550c0e202
commit 340da085a5

View File

@ -519,6 +519,29 @@ void regex_format_error(struct regex_error_data const *error_data, char *buffer,
if (pos >= buf_size)
goto truncated;
/* Return early if there is no error to format */
#ifdef USE_PCRE2
if (!error_data->error_code) {
rc = snprintf(buffer + pos, buf_size - pos, "no error code");
if (rc < 0)
abort();
pos += rc;
if (pos >= buf_size)
goto truncated;
return;
}
#else
if (!error_data->error_buffer) {
rc = snprintf(buffer + pos, buf_size - pos, "empty error");
if (rc < 0)
abort();
pos += rc;
if (pos >= buf_size)
goto truncated;
return;
}
#endif
if (error_data->error_offset > 0) {
#ifdef USE_PCRE2
rc = snprintf(buffer + pos, buf_size - pos, "At offset %zu: ",