From 3e7fd1daba5d3d8c861606ab8d706269634022ad Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Fri, 7 Apr 2017 22:44:31 +0200
Subject: [PATCH] libsepol: do not wrap integers when checking bound

Some invalid policies might have p->p_types.nprim = 0. When parsing
such a policy, "i > p->p_types.nprim - 1" is always false even though
reading p->type_val_to_struct[i] triggers a segmentation fault.

Make type_set_expand() return an error when parsing such a policy by
handling correctly when p->p_types.nprim is zero.

This issue has been found while fuzzing semodule_package with the
American Fuzzy Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 libsepol/src/expand.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 315fc65c..54bf781d 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -2527,7 +2527,7 @@ int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
 				 * invalid policies might have more types set in the ebitmap than
 				 * what's available in the type_val_to_struct mapping
 				 */
-				if (i > p->p_types.nprim - 1)
+				if (i >= p->p_types.nprim)
 					goto err_types;
 
 				if (!p->type_val_to_struct[i]) {