diff options
| author | Nathan Kinder <nkinder@redhat.com> | 2010-09-24 10:04:12 -0700 |
|---|---|---|
| committer | Nathan Kinder <nkinder@redhat.com> | 2010-09-24 10:04:12 -0700 |
| commit | dcfd94bd55a5e07f870f9ab1ea9d84a3f171b899 (patch) | |
| tree | 52a33dfccfd0e8bf0fb58fb98e829fcfbfb395b2 | |
| parent | 3561044171c4905659a2680658d9208eab5bd35e (diff) | |
| download | ds-dcfd94bd55a5e07f870f9ab1ea9d84a3f171b899.tar.gz ds-dcfd94bd55a5e07f870f9ab1ea9d84a3f171b899.tar.xz ds-dcfd94bd55a5e07f870f9ab1ea9d84a3f171b899.zip | |
Bug 630091 - (cov#11973) Array overrun in libaccess
When going through the exceptions table in libaccess, we don't
check if we are at the last pair of elements in the array before
incrementing to the next pair. This patch adds checks to see if
we are at the last pair of elements and avoids the increment if
necessary.
| -rw-r--r-- | lib/libaccess/acl.tab.cpp | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/lib/libaccess/acl.tab.cpp b/lib/libaccess/acl.tab.cpp index ddf40a6d..ad828ac2 100644 --- a/lib/libaccess/acl.tab.cpp +++ b/lib/libaccess/acl.tab.cpp @@ -962,14 +962,20 @@ int acl_Parse() { register int *aclxi = aclexca; - while ( ( *aclxi != -1 ) || - ( aclxi[1] != acl_state ) ) + /* The first element of the last pair is -2, so we + * need to make sure we don't increment past it. */ + while ( (*aclxi != -2) && ((*aclxi != -1) || + (aclxi[1] != acl_state)) ) { aclxi += 2; } - while ( ( *(aclxi += 2) >= 0 ) && - ( *aclxi != aclchar ) ) + + while ( (*aclxi != -2) && (*(aclxi += 2) >= 0) && + (*aclxi != aclchar) ) + { ; + } + if ( ( acl_n = aclxi[1] ) < 0 ) ACLACCEPT; } |