OSS-Fuzz found a Heap-buffer-overflow in the CIL compiler when trying to compile the following policy: (sid SID) (sidorder(SID)) (filecon "\" any ()) (filecon "" any ()) When cil_post_fc_fill_data() processes "\", it goes beyond the NUL terminator of the string. Fix this by returning when '\0' is read after a backslash. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28484 Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> --- libsepol/cil/src/cil_post.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index d2ecbd430aa3..8ebf0fe74e80 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -186,6 +186,16 @@ static void cil_post_fc_fill_data(struct fc_data *fc, const char *path) break; case '\\': c++; + if (path[c] == '\0') { + /* Count an ending backslash as a character, like refpolicy: + * https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20210203/support/fc_sort.py#L38-L61 + */ + if (!fc->meta) { + fc->stem_len++; + } + fc->str_len++; + return; + } /* FALLTHRU */ default: if (!fc->meta) { -- 2.31.0