lib/libaccess/acl.tab.cpp | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
New commits:
commit dcfd94bd55a5e07f870f9ab1ea9d84a3f171b899
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Fri Sep 24 10:04:12 2010 -0700
Bug 630091 - (cov#11973) Array overrun in libaccess
When going through the exceptions table in libaccess, we don't
check if we are at the last pair of elements in the array before
incrementing to the next pair. This patch adds checks to see if
we are at the last pair of elements and avoids the increment if
necessary.
diff --git a/lib/libaccess/acl.tab.cpp b/lib/libaccess/acl.tab.cpp
index ddf40a6..ad828ac 100644
--- a/lib/libaccess/acl.tab.cpp
+++ b/lib/libaccess/acl.tab.cpp
@@ -962,14 +962,20 @@ int acl_Parse()
{
register int *aclxi = aclexca;
- while ( ( *aclxi != -1 ) ||
- ( aclxi[1] != acl_state ) )
+ /* The first element of the last pair is -2, so we
+ * need to make sure we don't increment past it. */
+ while ( (*aclxi != -2) && ((*aclxi != -1) ||
+ (aclxi[1] != acl_state)) )
{
aclxi += 2;
}
- while ( ( *(aclxi += 2) >= 0 ) &&
- ( *aclxi != aclchar ) )
+
+ while ( (*aclxi != -2) && (*(aclxi += 2) >= 0) &&
+ (*aclxi != aclchar) )
+ {
;
+ }
+
if ( ( acl_n = aclxi[1] ) < 0 )
ACLACCEPT;
}
Show replies by thread