From: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Date: Mon, 2 Feb 2026 00:15:41 +0000 (-0500)
Subject: lib: (strutils.c) fix unchecked lookahead in ul_parse_size()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9fbb9811ab1a147a0ff576f1534966031ffc0c4;p=thirdparty%2Futil-linux.git

lib: (strutils.c) fix unchecked lookahead in ul_parse_size()

If the numeric value provided to ul_parse_size() via @str
is a decimal with fractions only containing zeros, the logic
fails to identify the end of the string and goes to the label
'check_suffix' and will do an unchecked lookahead (*p + 1)
that will result in an out-of-bounds read.

This is because the logic only checks for null-termination
when a fraction has been parsed, i.e. a fraction not only
containing zeros.

To fix the issue, we implicitly check for null-termination
when we have finished parsing the fraction.

Reported-by: Yashashree Gund <yash_gund@live.com>
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
---

diff --git a/lib/strutils.c b/lib/strutils.c
index 257e33555..dd67fc554 100644
--- a/lib/strutils.c
+++ b/lib/strutils.c
@@ -139,9 +139,9 @@ check_suffix:
 			} else
 				end = (char *) p;
 
-			if (frac && (!end  || !*end)) {
+			if (!end || !*end) {
 				rc = -EINVAL;
-				goto err;		/* without suffix, but with frac */
+				goto err;	/* without suffix, but with fractions */
 			}
 			p = end;
 			goto check_suffix;