The pointer type check unconditionally accesses len - 2 and it could
be a problem when the given type string broken or malicious. Also the
shortest supported type length is 2 (s8 and u8). So let's check the
length first to prevent invalid access.
Actually this was found in a fuzzer test.
Signed-off-by: Namhyung Kim <namhyung@xxxxxxxxxx>
---
src/event-parse.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/event-parse.c b/src/event-parse.c
index f862f49..e4b337c 100644
--- a/src/event-parse.c
+++ b/src/event-parse.c
@@ -2437,6 +2437,10 @@ eval_type_str(unsigned long long val, const char *type, int pointer)
int len;
len = strlen(type);
+ if (len < 2) {
+ do_warning("invalid type: %s", type);
+ return val;
+ }
if (pointer) {
--
2.36.0.550.gb090851708-goog
|