From c0563f43b0764b42f01ee4c946d66ae96d8c782d Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Thu, 5 Jun 2025 11:09:53 +0200
Subject: [PATCH] - Fix unbound-anchor certificate file read for line ends and
 end of   file.

---
 doc/Changelog             |  4 ++++
 smallapp/unbound-anchor.c | 12 +++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/doc/Changelog b/doc/Changelog
index 2209c5e29..22ff13ef3 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+5 June 2025: Wouter
+	- Fix unbound-anchor certificate file read for line ends and end of
+	  file.
+
 3 June 2025: Yorgos
 	- Small manpage corrections for the 'disable-dnssec-lame-check' option.
 
diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
index bd4a121f7..16f262067 100644
--- a/smallapp/unbound-anchor.c
+++ b/smallapp/unbound-anchor.c
@@ -382,7 +382,7 @@ read_cert_file(const char* file)
 	STACK_OF(X509)* sk;
 	FILE* in;
 	int content = 0;
-	char buf[128];
+	long flen;
 	if(file == NULL || strcmp(file, "") == 0) {
 		return NULL;
 	}
@@ -399,6 +399,11 @@ read_cert_file(const char* file)
 #endif
 		return NULL;
 	}
+	if(fseek(in, 0, SEEK_END) < 0)
+		printf("%s fseek: %s\n", file, strerror(errno));
+	flen = ftell(in);
+	if(fseek(in, 0, SEEK_SET) < 0)
+		printf("%s fseek: %s\n", file, strerror(errno));
 	while(!feof(in)) {
 		X509* x = PEM_read_X509(in, NULL, NULL, NULL);
 		if(x == NULL) {
@@ -414,8 +419,9 @@ read_cert_file(const char* file)
 			exit(0);
 		}
 		content = 1;
-		/* read away newline after --END CERT-- */
-		if(!fgets(buf, (int)sizeof(buf), in))
+		/* feof may not be true yet, but if the position is
+		 * at end of file, stop reading more certificates. */
+		if(ftell(in) == flen)
 			break;
 	}
 	fclose(in);
-- 
2.47.3