From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
Limit the length of regular expression paths in fcontext source
definitions to reduce the worst case regex compilation time for abnormal
inputs.
Reported-by: oss-fuzz (issue 393203212)
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libselinux/src/label_file.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
index ad7699e6..7a9834a0 100644
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@@ -434,6 +434,12 @@ static inline int compile_regex(struct regex_spec *spec, char *errbuf, size_t er
reg_buf = spec->regex_str;
/* Anchor the regular expression. */
len = strlen(reg_buf);
+ if (len >= 4096) {
+ __pthread_mutex_unlock(&spec->regex_lock);
+ snprintf(errbuf, errbuf_size, "regex of length %zu too long", len);
+ errno = EINVAL;
+ return -1;
+ }
cp = anchored_regex = malloc(len + 3);
if (!anchored_regex) {
__pthread_mutex_unlock(&spec->regex_lock);
--
2.45.2
