From dd61029c549b01efe41576a3406f6ff513699461 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Mon, 27 Aug 2012 13:27:53 -0400
Subject: [PATCH] libselinux: label_file: fix potential read past buffer in
 spec_hasMetaChars

An illegal regex may end with a single \ followed by nul.  This could
cause us to search past the end of the character array.  The loop
formation looks like so:

        c = regex_str;
        len = strlen(c);
        end = c + len;

        while (c != end) {
		switch (*c) {
		...
                case '\\':      /* skip the next character */
                        c++;
                        break;
		...
                }
                c++;
	}

If the \ is the last character then we will increment c and break from
the switch.  The while loop will then increment c.  So now c == end+1.
This means we will keep running into infinity and beyond!  Easy fix.
Make the loop check (c < end).  Thus even if we jump past end, we still
exit the loop.

Signed-off-by: Eric Paris <eparis@redhat.com>
---
 libselinux/src/label_file.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
index 89f68cd1..4349c662 100644
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@@ -88,7 +88,7 @@ static inline void spec_hasMetaChars(struct spec *spec)
 
 	/* Look at each character in the RE specification string for a
 	 * meta character. Return when any meta character reached. */
-	while (c != end) {
+	while (c < end) {
 		switch (*c) {
 		case '.':
 		case '^':