From dcfd94bd55a5e07f870f9ab1ea9d84a3f171b899 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@redhat.com>
Date: Fri, 24 Sep 2010 10:04:12 -0700
Subject: Bug 630091 - (cov#11973) Array overrun in libaccess

When going through the exceptions table in libaccess, we don't
check if we are at the last pair of elements in the array before
incrementing to the next pair.  This patch adds checks to see if
we are at the last pair of elements and avoids the increment if
necessary.
---
 lib/libaccess/acl.tab.cpp | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/lib/libaccess/acl.tab.cpp b/lib/libaccess/acl.tab.cpp
index ddf40a6d..ad828ac2 100644
--- a/lib/libaccess/acl.tab.cpp
+++ b/lib/libaccess/acl.tab.cpp
@@ -962,14 +962,20 @@ int acl_Parse()
 			{
 				register int *aclxi = aclexca;
 
-				while ( ( *aclxi != -1 ) ||
-					( aclxi[1] != acl_state ) )
+				/* The first element of the last pair is -2, so we
+				 * need to make sure we don't increment past it. */
+				while ( (*aclxi != -2) && ((*aclxi != -1) ||
+					(aclxi[1] != acl_state)) )
 				{
 					aclxi += 2;
 				}
-				while ( ( *(aclxi += 2) >= 0 ) &&
-					( *aclxi != aclchar ) )
+
+				while ( (*aclxi != -2) && (*(aclxi += 2) >= 0) &&
+					(*aclxi != aclchar) )
+				{
 					;
+				}
+
 				if ( ( acl_n = aclxi[1] ) < 0 )
 					ACLACCEPT;
 			}
-- 
cgit