From: Willy Tarreau <w@1wt.eu>
Date: Fri, 26 Jun 2020 15:24:54 +0000 (+0200)
Subject: BUG/MINOR: cfgparse: correctly deal with empty lines
X-Git-Tag: v2.2-dev11~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08488f66b6028761d8eb60a3bddb9aa080a2af4a;p=thirdparty%2Fhaproxy.git

BUG/MINOR: cfgparse: correctly deal with empty lines

Issue 23653 in oss-fuzz reports a heap overflow bug which is in fact a
bug introduced by commit 9e1758efb ("BUG/MEDIUM: cfgparse: use
parse_line() to expand/unquote/unescape config lines") to address
oss-fuzz issue 22689, which was only partially fixed by commit 70f58997f
("BUG/MINOR: cfgparse: Support configurations without newline at EOF").

Actually on an empty line, end == line so we cannot dereference end-1
to check for a trailing LF without first being sure that end is greater
than line.

No backport is needed, this is 2.2 only.
---

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 92f17691ca..63efc9114e 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -1916,7 +1916,7 @@ next_line:
 
 		readbytes = 0;
 
-		if (*(end-1) == '\n') {
+		if (end > line && *(end-1) == '\n') {
 			/* kill trailing LF */
 			*(end - 1) = 0;
 		}