From: Александр Ушаков <aushakov@astralinux.ru>
Date: Mon, 28 Jul 2025 10:23:12 +0000 (+0300)
Subject: src/lex.l: fix pointer overflow in yylex()
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fheads%2Frelease-3.2;p=thirdparty%2Flibcgroup.git

src/lex.l: fix pointer overflow in yylex()

UBSAN reported a pointer overflow bug when a fuzz test passed empty
strings to cgroup_init_templates_cache(). The issue is triggered by
the strlen(yylval.name - 1) check, which returns a negative value.
This value is then implicitly cast to an unsigned long long, causing
incorrect behavior. Fix this by adding checks for empty strings inputs.

This issue was discovered while running fuzz tests using the Clang
compiler.

[Kamalesh added commit message]
Signed-off-by: Aleksandr Ushakov <aushakov@astralinux.ru>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
(cherry picked from commit 05ce62bca993c260af6478a1f2035bb0c73050a9)
---

diff --git a/src/lex.l b/src/lex.l
index 5f680fc8..79f27633 100644
--- a/src/lex.l
+++ b/src/lex.l
@@ -39,7 +39,15 @@ jmp_buf parser_error_env;
 "systemd"     	{return SYSTEMD;}
 "default"	{yylval.name = strdup(yytext); return DEFAULT;}
 [a-zA-Z0-9_\-\/\.\,\%\@\\]+ {yylval.name = strdup(yytext); return ID;}
-\"[^"]*\" {yylval.name = strdup(yytext+1); yylval.name[strlen(yylval.name)-1] = '\0'; return ID; }
+\"[^"]*\"	{
+	if (yytext[0] != '\0' && yytext[1] != '\0') {
+		yylval.name = strdup(yytext+1); 
+		yylval.name[strlen(yylval.name)-1] = '\0';
+	} else {
+		yylval.name = strdup("");
+	} 
+	return ID;
+	} 
 .	{return yytext[0];}
 %%