[3/5] libsepol: do not crash when block->branch_list is NULL

Commit Message

Nicolas Iooss Nov. 22, 2016, 10:23 p.m. UTC

When fuzzing hll/pp, the fuzzer created a policy module with a block
which has no declaration. With block->branch_list = NULL,
typealias_list_create() triggered a NULL pointer dereference when
computing max_decl_id.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 libsepol/src/module_to_cil.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch

diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 1c2c51c614ab..51a478434805 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -374,7 +374,7 @@  static int typealias_list_create(struct policydb *pdb)
 
 	for (block = pdb->global; block != NULL; block = block->next) {
 		decl = block->branch_list;
-		if (decl->decl_id > max_decl_id) {
+		if (decl != NULL && decl->decl_id > max_decl_id) {
 			max_decl_id = decl->decl_id;
 		}
 	}