libtraceevent: Check type string length in eval_type_str()
The pointer type check unconditionally accesses len - 2 and it could
be a problem when the given type string broken or malicious. Also the
shortest supported type length is 2 (s8 and u8). So let's check the
length first to prevent invalid access.
Actually this was found in a fuzzer test.
Link: https://lore.kernel.org/linux-trace-devel/20220513194048.476326-1-namhyung@kernel.org
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
diff --git a/src/event-parse.c b/src/event-parse.c
index 4dc4743..8b839cb 100644
--- a/src/event-parse.c
+++ b/src/event-parse.c
@@ -2551,6 +2551,10 @@
int len;
len = strlen(type);
+ if (len < 2) {
+ do_warning("invalid type: %s", type);
+ return val;
+ }
if (pointer) {
