From 3a206da456723cc38a8a27e1edde1e48da33489a Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 11 Oct 2023 11:03:00 -0700 Subject: [PATCH] check chain length is nonzero before examining last entry It was possible to reach add_link() without visiting an intermediate node first, and the check for a duplicate entry could then cause a crash. Credit to OSS-Fuzz for discovering this error. --- lib/dns/qp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/dns/qp.c b/lib/dns/qp.c index 873183a8e5..8d94af9c08 100644 --- a/lib/dns/qp.c +++ b/lib/dns/qp.c @@ -1997,7 +1997,7 @@ dns_qp_getname(dns_qpreadable_t qpr, const dns_name_t *name, void **pval_r, static inline void add_link(dns_qpchain_t *chain, dns_qpnode_t *node, size_t offset) { /* prevent duplication */ - if (chain->chain[chain->len - 1].node == node) { + if (chain->len != 0 && chain->chain[chain->len - 1].node == node) { return; } chain->chain[chain->len].node = node;