libselinux: label_file: fix potential read past buffer in spec_hasMetaChars

An illegal regex may end with a single \ followed by nul.  This could
cause us to search past the end of the character array.  The loop
formation looks like so:

        c = regex_str;
        len = strlen(c);
        end = c + len;

        while (c != end) {
		switch (*c) {
		...
                case '\\':      /* skip the next character */
                        c++;
                        break;
		...
                }
                c++;
	}

If the \ is the last character then we will increment c and break from
the switch.  The while loop will then increment c.  So now c == end+1.
This means we will keep running into infinity and beyond!  Easy fix.
Make the loop check (c < end).  Thus even if we jump past end, we still
exit the loop.

Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Eric Paris 2012-08-27 13:27:53 -04:00
parent 48682e2853
commit dd61029c54

View File

@ -88,7 +88,7 @@ static inline void spec_hasMetaChars(struct spec *spec)
/* Look at each character in the RE specification string for a
* meta character. Return when any meta character reached. */
while (c != end) {
while (c < end) {
switch (*c) {
case '.':
case '^':