Ensure counts are not set to the maximum value of their type.
Also limit their size during fuzzing to prevent OOM reports.
Reported-by: oss-fuzz (issue 60572)
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libsepol/src/avtab.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
index 9c7daf8e..cb2ca06a 100644
--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
@@ -461,6 +461,8 @@ static int avtab_read_name_trans(policy_file_t *fp, symtab_t *target)
if (rc < 0)
return rc;
nel = le32_to_cpu(buf32[0]);
+ if (is_saturated(nel))
+ return -1;
rc = symtab_init(target, nel);
if (rc < 0)
@@ -736,7 +738,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers)
goto bad;
}
nel = le32_to_cpu(buf[0]);
- if (!nel) {
+ if (zero_or_saturated(nel)) {
ERR(fp->handle, "table is empty");
goto bad;
}
@@ -909,6 +911,9 @@ static int filename_trans_comp_read_one(avtab_t *a, void *fp)
key.target_class = le32_to_cpu(buf[1]);
ndatum = le32_to_cpu(buf[2]);
+ if (is_saturated(ndatum))
+ goto err;
+
for (i = 0; i < ndatum; i++) {
rc = ebitmap_read(&stypes, fp);
if (rc < 0)
@@ -951,6 +956,8 @@ int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a)
if (rc < 0)
return rc;
nel = le32_to_cpu(*buf);
+ if (is_saturated(nel))
+ return -1;
if (vers < POLICYDB_VERSION_COMP_FTRANS) {
for (i = 0; i < nel; i++) {
--
2.40.1
