BUG/MINOR: cfgcond: fail cleanly on missing argument for "feature"

The "feature" predicate takes an argument name. Not passing one will
cause strstr() to always find something, including at the end of the
string, and to read past end that ASAN detects. We need to check that
we didn't reach end before proceeding.

This bug was reported by OSS Fuzz here:
   https://issues.oss-fuzz.com/issues/499133314

The issue is present since 2.4 with commit 58ca706e16 ("MINOR: config:
add predicate "feature" to detect certain built-in features") so this
fix must be backported to all stable versions.

diff --git a/src/cfgcond.c b/src/cfgcond.c
index 345eafe717c033592302987db92e0dac8c424439..491c1c8776e6acc9ac58b2ea65d5fa59bb13791b 100644 (file)
--- a/src/cfgcond.c
+++ b/src/cfgcond.c
@@ -232,7 +232,7 @@ int cfg_eval_cond_term(const struct cfg_cond_term *term, char **err)
                        const char *p;
 
                        ret = 0; // assume feature not found
-                       for (p = build_features; (p = strstr(p, term->args[0].data.str.area)); p++) {
+                       for (p = build_features; *p && (p = strstr(p, term->args[0].data.str.area)); p++) {
                                if (p > build_features &&
                                    (p[term->args[0].data.str.data] == ' ' ||
                                     p[term->args[0].data.str.data] == 0)) {