From 21853b01e65f8b79bdf478d4fe470dcb1639cc48 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 20 Dec 2023 13:40:15 +1300
Subject: [PATCH] libcli/security: sddl conditional ACE: write -0 when asked

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65122

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 libcli/security/sddl_conditional_ace.c    | 11 ++++++++---
 selftest/knownfail.d/sddl-conditional-ace |  1 -
 2 files changed, 8 insertions(+), 4 deletions(-)
 delete mode 100644 selftest/knownfail.d/sddl-conditional-ace

diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c
index 75a80e758ad..e9d83b7f9c1 100644
--- a/libcli/security/sddl_conditional_ace.c
+++ b/libcli/security/sddl_conditional_ace.c
@@ -653,11 +653,16 @@ static bool sddl_write_int(struct sddl_write_context *ctx,
 	}
 	sign_char = (sign == CONDITIONAL_ACE_INT_SIGN_NEGATIVE) ? '-' : '+';
 	/*
-	 * We can use "%+ld" for the decimal sign, but "%+lx" and "%+lo" are
-	 * invalid because %o and %x are unsigned.
+	 * We can use "%+ld" for the decimal sign (except -0), but
+	 * "%+lx" and "%+lo" are invalid because %o and %x are
+	 * unsigned.
 	 */
 	if (base == CONDITIONAL_ACE_INT_BASE_10) {
-		snprintf(buf, sizeof(buf), "%+"PRId64, v);
+		if (v == 0) {
+			snprintf(buf, sizeof(buf), "%c0", sign_char);
+		} else {
+			snprintf(buf, sizeof(buf), "%+"PRId64, v);
+		}
 		return sddl_write(ctx, buf);
 	}
 
diff --git a/selftest/knownfail.d/sddl-conditional-ace b/selftest/knownfail.d/sddl-conditional-ace
deleted file mode 100644
index f253ee9b738..00000000000
--- a/selftest/knownfail.d/sddl-conditional-ace
+++ /dev/null
@@ -1 +0,0 @@
-samba.unittests.sddl_conditional_ace.test_round_trips
-- 
2.47.3