When fuzzing hll/pp inputs, a policy module where the value of scope->decl_ids_len has been modified to zero makes the program abort (when it has been compiled without -DNDEBUG). Change the behavior to report an error message instead. This eases fuzzing functions like policydb_read(). Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> --- libsepol/src/policydb.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index cdb3cde6b5e2..e36d82f0a1e8 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -3635,7 +3635,10 @@ static int scope_read(policydb_t * p, int symnum, struct policy_file *fp) goto cleanup; scope->scope = le32_to_cpu(buf[0]); scope->decl_ids_len = le32_to_cpu(buf[1]); - assert(scope->decl_ids_len > 0); + if (scope->decl_ids_len == 0) { + ERR(fp->handle, "invalid scope with no declaration"); + goto cleanup; + } if ((scope->decl_ids = malloc(scope->decl_ids_len * sizeof(uint32_t))) == NULL) { goto cleanup; -- 2.10.2 _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.