autofs: Fix crash in sun_mount()

From: Helge Deller <deller@gmx.de>

In sun_mount() the variable np gets initialized to an alloca()
memory area:
  np = noptions = alloca();
Later on, at the end of a loop, it may get accessed like this:
  *(np - 1) = '\0';

If np hasn't been increased in between those lines, this access triggers
an out-of-bounds access which overwrites stack area and on the parisc
architecture segfaults the automount executable as described in the
Debian bugzilla #892953.

The patch below adds the necessary check and thus fixes the crash.

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892953

Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Ian Kent <raven@themaw.net>
---
 CHANGELOG           |    1 +
 modules/parse_sun.c |    3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 10ad19e2..8e024420 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -18,6 +18,7 @@ xx/xx/2020 autofs-5.1.7
 - fix ldap sasl reconnect problem.
 - samples/ldap.schema fix.
 - fix configure force shutdown check.
+- fix crash in sun_mount().
 
 07/10/2019 autofs-5.1.6
 - support strictexpire mount option.
diff --git a/modules/parse_sun.c b/modules/parse_sun.c
index 80fdf476..4b137f99 100644
--- a/modules/parse_sun.c
+++ b/modules/parse_sun.c
@@ -592,8 +592,9 @@ static int sun_mount(struct autofs_point *ap, const char *root,
 		if (np > noptions + len) {
 			warn(ap->logopt, MODPREFIX "options string truncated");
 			np[len] = '\0';
-		} else
+		} else if (np > noptions) {
 			*(np - 1) = '\0';
+		}
 
 		options = noptions;
 	}