BUG/MINOR: cfgcond: properly set the error pointer on evaluation error

cfg_eval_condition() says that the <errptr> pointer will be set upon
error. However, cfg_eval_cond_expr() can fail (e.g. failure to handle
a dynamic argument) but would branch to "done" and leave errptr unset.
Let's check for this case as well.

This bug was reported by OSS Fuzz here:
   https://issues.oss-fuzz.com/issues/499135825

The bug was introduced in 2.5 around commit ca81887599 ("MINOR:
cfgcond: insert an expression between the condition and the term") so
the fix must be backported as far as 2.6.

diff --git a/src/cfgcond.c b/src/cfgcond.c
index 7be2e7a47fbef049759cbb7466ea72c008956eb6..07fe9c8fceaa64169ecbb86cf93e078f306d084d 100644 (file)
--- a/src/cfgcond.c
+++ b/src/cfgcond.c
@@ -564,6 +564,8 @@ int cfg_eval_condition(char **args, char **err, const char **errptr)
                }
 
                ret = cfg_eval_cond_expr(expr, err);
+               if (ret < 0)
+                       goto fail;
                goto done;
        }