lex: Fix buffer overrun parsing overlong hexadecimal constants.

In previous code, if hexit == 0, then the boundary for 'out' is
not checked. This patch fixes it.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10710
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>

1 files changed, 8 insertions, 6 deletions

diff --git a/ovn/lib/lex.c b/ovn/lib/lex.c
index be34e5478..aafafddab 100644
--- a/ovn/lib/lex.c
+++ b/ovn/lib/lex.c
@@ -328,13 +328,15 @@ lex_parse_hex_integer(const char *start, size_t len, struct lex_token *token)
         if (hexit < 0) {
             lex_error(token, "Invalid syntax in hexadecimal constant.");
             return;
+        } else if (hexit) {
+            /* Check within loop to ignore any number of leading zeros. */
+            if (i / 2 >= sizeof token->value.u8) {
+                lex_error(token, "Hexadecimal constant requires more than "
+                          "%"PRIuSIZE" bits.", 8 * sizeof token->value.u8);
+                return;
+            }
+            out[-(i / 2)] |= i % 2 ? hexit << 4 : hexit;
         }
-        if (hexit && i / 2 >= sizeof token->value.u8) {
-            lex_error(token, "Hexadecimal constant requires more than "
-                      "%"PRIuSIZE" bits.", 8 * sizeof token->value.u8);
-            return;
-        }
-        out[-(i / 2)] |= i % 2 ? hexit << 4 : hexit;
     }
     token->format = LEX_F_HEXADECIMAL;
 }