diff options
author | Yifeng Sun <pkusunyifeng@gmail.com> | 2018-10-02 13:20:42 -0700 |
---|---|---|
committer | Ben Pfaff <blp@ovn.org> | 2018-10-02 14:51:55 -0700 |
commit | 9443c4746b55c8220262942e8bdd0df8ddbc0e04 (patch) | |
tree | af1b8fb8aee12ec8c3066831e7125c39a65eddde | |
parent | 8ffd67646634168089eaa47116183918384a89ec (diff) | |
download | openvswitch-9443c4746b55c8220262942e8bdd0df8ddbc0e04.tar.gz |
lex: Fix buffer overrun parsing overlong hexadecimal constants.
In previous code, if hexit == 0, then the boundary for 'out' is
not checked. This patch fixes it.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10710
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
-rw-r--r-- | ovn/lib/lex.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/ovn/lib/lex.c b/ovn/lib/lex.c index be34e5478..aafafddab 100644 --- a/ovn/lib/lex.c +++ b/ovn/lib/lex.c @@ -328,13 +328,15 @@ lex_parse_hex_integer(const char *start, size_t len, struct lex_token *token) if (hexit < 0) { lex_error(token, "Invalid syntax in hexadecimal constant."); return; + } else if (hexit) { + /* Check within loop to ignore any number of leading zeros. */ + if (i / 2 >= sizeof token->value.u8) { + lex_error(token, "Hexadecimal constant requires more than " + "%"PRIuSIZE" bits.", 8 * sizeof token->value.u8); + return; + } + out[-(i / 2)] |= i % 2 ? hexit << 4 : hexit; } - if (hexit && i / 2 >= sizeof token->value.u8) { - lex_error(token, "Hexadecimal constant requires more than " - "%"PRIuSIZE" bits.", 8 * sizeof token->value.u8); - return; - } - out[-(i / 2)] |= i % 2 ? hexit << 4 : hexit; } token->format = LEX_F_HEXADECIMAL; } |