From fe34851e64ecce88d0e936394e79dc06f66d3b9b Mon Sep 17 00:00:00 2001
From: =?utf8?q?=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80=20?=
 =?utf8?q?=D0=A3=D1=88=D0=B0=D0=BA=D0=BE=D0=B2?= <aushakov@astralinux.ru>
Date: Mon, 28 Jul 2025 13:23:12 +0300
Subject: [PATCH] src/lex.l: fix pointer overflow in yylex()

UBSAN reported a pointer overflow bug when a fuzz test passed empty
strings to cgroup_init_templates_cache(). The issue is triggered by
the strlen(yylval.name - 1) check, which returns a negative value.
This value is then implicitly cast to an unsigned long long, causing
incorrect behavior. Fix this by adding checks for empty strings inputs.

This issue was discovered while running fuzz tests using the Clang
compiler.

[Kamalesh added commit message]
Signed-off-by: Aleksandr Ushakov <aushakov@astralinux.ru>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
(cherry picked from commit 05ce62bca993c260af6478a1f2035bb0c73050a9)
---
 src/lex.l | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/lex.l b/src/lex.l
index 5f680fc8..79f27633 100644
--- a/src/lex.l
+++ b/src/lex.l
@@ -39,7 +39,15 @@ jmp_buf parser_error_env;
 "systemd"     	{return SYSTEMD;}
 "default"	{yylval.name = strdup(yytext); return DEFAULT;}
 [a-zA-Z0-9_\-\/\.\,\%\@\\]+ {yylval.name = strdup(yytext); return ID;}
-\"[^"]*\" {yylval.name = strdup(yytext+1); yylval.name[strlen(yylval.name)-1] = '\0'; return ID; }
+\"[^"]*\"	{
+	if (yytext[0] != '\0' && yytext[1] != '\0') {
+		yylval.name = strdup(yytext+1); 
+		yylval.name[strlen(yylval.name)-1] = '\0';
+	} else {
+		yylval.name = strdup("");
+	} 
+	return ID;
+	} 
 .	{return yytext[0];}
 %%
 
-- 
2.47.2