BUG/MINOR: cfgparse: improve the empty arg position report's robustness

OSS Fuzz found that the previous fix ebb19fb367 ("BUG/MINOR: cfgparse:
consider the special case of empty arg caused by \x00") was incomplete,
as the output can sometimes be larger than the input (due to variables
expansion) in which case the work around to try to report a bad arg will
fail. While the parse_line() function has been made more robust now in
order to avoid this condition, let's fix the handling of this special
case anyway by just pointing to the beginning of the line if the supposed
error location is out of the line's buffer.

All details here:
   https://oss-fuzz.com/testcase-detail/5202563081502720

No backport is needed unless the fix above is backported.

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 1fea159151a78593447e9a11a0cf66274774f13d..22dfee3b84d096dc4aed33f501ef3482516dff76 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2074,8 +2074,12 @@ next_line:
                                         * and if it's not set, we'll fall back to args's position in the output
                                         * string instead (less accurate but still useful).
                                         */
-                                       if (!errptr)
-                                               errptr = args[check_arg] - outline + line;
+                                       if (!errptr) {
+                                               newpos = args[check_arg] - outline;
+                                               if (newpos >= strlen(line))
+                                                       newpos = 0; // impossible to report anything, start at the beginning.
+                                               errptr = line + newpos;
+                                       }
 
                                        /* sanitize input line in-place */
                                        newpos = sanitize_for_printing(line, errptr - line, 80);