libselinux: Fix core dumps with corrupt *.bin files

Check buffer address limits when processing *.bin files
to catch any over-runs. On failure process text file instead.

To test, the bin files were corrupted by adding and removing
various bits of data. Various file sizes were also checked and
all were caught by the patch.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index b3e56713..c722f299 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -325,6 +325,8 @@ static int load_mmap(struct selabel_handle *rec, const char *path, struct stat *
 		addr += sizeof(uint32_t);
 		if (memcmp((char *)addr, pcre_version(), len))
 			return -1; /* pcre version content mismatch */
+		if (addr + *plen >= (char *)mmap_area->addr + mmap_area->len)
+			return -1; /* Buffer over-run */
 		addr += *plen;
 	}
 
@@ -390,11 +392,15 @@ static int load_mmap(struct selabel_handle *rec, const char *path, struct stat *
 		if (!spec->lr.ctx_raw)
 			goto err;
 
+		if (addr + *plen >= (char *)mmap_area->addr + mmap_area->len)
+			return -1;
 		addr += *plen;
 
 		plen = (uint32_t *)addr;
 		addr += sizeof(uint32_t);
 		spec->regex_str = (char *)addr;
+		if (addr + *plen >= (char *)mmap_area->addr + mmap_area->len)
+			return -1;
 		addr += *plen;
 
 		spec->mode = *(mode_t *)addr;
@@ -415,12 +421,16 @@ static int load_mmap(struct selabel_handle *rec, const char *path, struct stat *
 		plen = (uint32_t *)addr;
 		addr += sizeof(uint32_t);
 		spec->regex = (pcre *)addr;
+		if (addr + *plen >= (char *)mmap_area->addr + mmap_area->len)
+			return -1;
 		addr += *plen;
 
 		plen = (uint32_t *)addr;
 		addr += sizeof(uint32_t);
 		spec->lsd.study_data = (void *)addr;
 		spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA;
+		if (addr + *plen >= (char *)mmap_area->addr + mmap_area->len)
+			return -1;
 		addr += *plen;
 
 		data->nspec++;