From: Willy Tarreau Date: Mon, 12 May 2025 14:06:28 +0000 (+0200) Subject: BUG/MINOR: cfgparse: improve the empty arg position report's robustness X-Git-Tag: v3.2-dev16~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be4d816be24255c6ba3b42284ca57085b8129e5e;p=thirdparty%2Fhaproxy.git BUG/MINOR: cfgparse: improve the empty arg position report's robustness OSS Fuzz found that the previous fix ebb19fb367 ("BUG/MINOR: cfgparse: consider the special case of empty arg caused by \x00") was incomplete, as the output can sometimes be larger than the input (due to variables expansion) in which case the work around to try to report a bad arg will fail. While the parse_line() function has been made more robust now in order to avoid this condition, let's fix the handling of this special case anyway by just pointing to the beginning of the line if the supposed error location is out of the line's buffer. All details here: https://oss-fuzz.com/testcase-detail/5202563081502720 No backport is needed unless the fix above is backported. --- diff --git a/src/cfgparse.c b/src/cfgparse.c index 1fea15915..22dfee3b8 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -2074,8 +2074,12 @@ next_line: * and if it's not set, we'll fall back to args's position in the output * string instead (less accurate but still useful). */ - if (!errptr) - errptr = args[check_arg] - outline + line; + if (!errptr) { + newpos = args[check_arg] - outline; + if (newpos >= strlen(line)) + newpos = 0; // impossible to report anything, start at the beginning. + errptr = line + newpos; + } /* sanitize input line in-place */ newpos = sanitize_for_printing(line, errptr - line, 80);