Do not continue with a negative return value once a string append
operation fails to avoid increasing the buffer length variable
`str_len`, potentially leading to an out-of-bounds write.
Found by GitHub CodeQL.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libsepol/cil/src/cil.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 9916cbee..38edcf8e 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -1456,6 +1456,12 @@ int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size)
buf_pos = snprintf(str_tmp, str_len, "user %s prefix %s;\n", user->datum.fqn,
userprefix->prefix_str);
+ if (buf_pos < 0) {
+ free(str_tmp);
+ *size = 0;
+ *out = NULL;
+ goto exit;
+ }
str_len -= buf_pos;
str_tmp += buf_pos;
}
--
2.34.1
