From 9e16d2709c2e0857c6c0f46869eb6a254444a7d5 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 24 May 2020 23:13:19 +0200
Subject: [PATCH] libpkgconf: personality: fix out of boundary access

It is possible to set the instruction pointer to undefined values by
using an operator larger than ':' in ASCII.

Since the personality function array does not have 256 entries, an
invalid operator can overflow the array.

Proof of concept:

$ echo "a _ b" > poc
$ ln -s $(which pkgconf) poc-pkgconf
$ ./poc-pkgconf
---
 libpkgconf/personality.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libpkgconf/personality.c b/libpkgconf/personality.c
index f5ca367..ab9ef74 100644
--- a/libpkgconf/personality.c
+++ b/libpkgconf/personality.c
@@ -179,7 +179,7 @@ personality_keyword_set(pkgconf_cross_personality_t *p, const size_t lineno, con
 	pair->func(p, keyword, lineno, pair->offset, value);
 }
 
-static const pkgconf_parser_operand_func_t personality_parser_ops[] = {
+static const pkgconf_parser_operand_func_t personality_parser_ops[256] = {
 	[':'] = (pkgconf_parser_operand_func_t) personality_keyword_set
 };