src/lex.l: fix pointer overflow in yylex()

UBSAN reported a pointer overflow bug when a fuzz test passed empty
strings to cgroup_init_templates_cache(). The issue is triggered by
the strlen(yylval.name - 1) check, which returns a negative value.
This value is then implicitly cast to an unsigned long long, causing
incorrect behavior. Fix this by adding checks for empty strings inputs.

This issue was discovered while running fuzz tests using the Clang
compiler.

[Kamalesh added commit message]
Signed-off-by: Aleksandr Ushakov <aushakov@astralinux.ru>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
(cherry picked from commit 05ce62bca993c260af6478a1f2035bb0c73050a9)

diff --git a/src/lex.l b/src/lex.l
index 5f680fc839c31f2f513bf7f47cd78ddebe0ba9bc..79f2763396278958bbce57a416b3e76800850b2f 100644 (file)
--- a/src/lex.l
+++ b/src/lex.l
@@ -39,7 +39,15 @@ jmp_buf parser_error_env;
 "systemd"      {return SYSTEMD;}
 "default"      {yylval.name = strdup(yytext); return DEFAULT;}
 [a-zA-Z0-9_\-\/\.\,\%\@\\]+ {yylval.name = strdup(yytext); return ID;}
-\"[^"]*\" {yylval.name = strdup(yytext+1); yylval.name[strlen(yylval.name)-1] = '\0'; return ID; }
+\"[^"]*\"      {
+       if (yytext[0] != '\0' && yytext[1] != '\0') {
+               yylval.name = strdup(yytext+1); 
+               yylval.name[strlen(yylval.name)-1] = '\0';
+       } else {
+               yylval.name = strdup("");
+       } 
+       return ID;
+       } 
 .      {return yytext[0];}
 %%