On Thu, Jul 13, 2023 at 2:49 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Ensure counts are not set to the maximum value of their type. > Also limit their size during fuzzing to prevent OOM reports. > > Reported-by: oss-fuzz (issue 60572) > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > --- > libsepol/src/avtab.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c > index 9c7daf8e..cb2ca06a 100644 > --- a/libsepol/src/avtab.c > +++ b/libsepol/src/avtab.c > @@ -461,6 +461,8 @@ static int avtab_read_name_trans(policy_file_t *fp, symtab_t *target) > if (rc < 0) > return rc; > nel = le32_to_cpu(buf32[0]); > + if (is_saturated(nel)) > + return -1; > > rc = symtab_init(target, nel); > if (rc < 0) > @@ -736,7 +738,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers) > goto bad; > } > nel = le32_to_cpu(buf[0]); > - if (!nel) { > + if (zero_or_saturated(nel)) { > ERR(fp->handle, "table is empty"); > goto bad; > } The other three hunks depended on the prefix/suffix patches, but I think that this hunk might still be applicable. Jim > @@ -909,6 +911,9 @@ static int filename_trans_comp_read_one(avtab_t *a, void *fp) > key.target_class = le32_to_cpu(buf[1]); > > ndatum = le32_to_cpu(buf[2]); > + if (is_saturated(ndatum)) > + goto err; > + > for (i = 0; i < ndatum; i++) { > rc = ebitmap_read(&stypes, fp); > if (rc < 0) > @@ -951,6 +956,8 @@ int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a) > if (rc < 0) > return rc; > nel = le32_to_cpu(*buf); > + if (is_saturated(nel)) > + return -1; > > if (vers < POLICYDB_VERSION_COMP_FTRANS) { > for (i = 0; i < nel; i++) { > -- > 2.40.1 >