1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-11 05:17:44 +03:00

journal: fix buffer overrun when urlifying

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21122.

message is only valid until message_len, and we need to make sure we're not
reading pass that. Bug introduced in 2108b56749.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2020-06-23 20:51:13 +02:00
parent db3b8d5d41
commit 85fbebe61a
2 changed files with 6 additions and 3 deletions

View File

@ -573,19 +573,22 @@ static int output_short(
if (config_file && if (config_file &&
message_len >= config_file_len && message_len >= config_file_len &&
memcmp(message, config_file, config_file_len) == 0 && memcmp(message, config_file, config_file_len) == 0 &&
IN_SET(message[config_file_len], ':', ' ', '\0') && (message_len == config_file_len || IN_SET(message[config_file_len], ':', ' ')) &&
(!highlight || highlight_shifted[0] == 0 || highlight_shifted[0] > config_file_len)) { (!highlight || highlight_shifted[0] == 0 || highlight_shifted[0] > config_file_len)) {
_cleanup_free_ char *t = NULL, *urlified = NULL; _cleanup_free_ char *t = NULL, *urlified = NULL;
t = strndup(config_file, config_file_len); t = strndup(config_file, config_file_len);
if (t && terminal_urlify_path(t, NULL, &urlified) >= 0) { if (t && terminal_urlify_path(t, NULL, &urlified) >= 0) {
size_t shift = strlen(urlified) - config_file_len; size_t urlified_len = strlen(urlified);
size_t shift = urlified_len - config_file_len;
char *joined; char *joined;
joined = strjoin(urlified, message + config_file_len); joined = realloc(urlified, message_len + shift);
if (joined) { if (joined) {
memcpy(joined + urlified_len, message + config_file_len, message_len - config_file_len);
free_and_replace(message, joined); free_and_replace(message, joined);
TAKE_PTR(urlified);
message_len += shift; message_len += shift;
if (highlight) { if (highlight) {
highlight_shifted[0] += shift; highlight_shifted[0] += shift;

Binary file not shown.