From: Willy Tarreau <w@1wt.eu>
Date: Sun, 11 Aug 2024 12:44:28 +0000 (+0200)
Subject: BUG/MINOR: tools: make fgets_from_mem() stop at the end of the input
X-Git-Tag: v3.1-dev6~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0982bfd9997d73bae1257da56413898f5f8d97fe;p=thirdparty%2Fhaproxy.git

BUG/MINOR: tools: make fgets_from_mem() stop at the end of the input

The memchr() used to look for the LF character must consider the end of
input, not just the output buffer size.

This was found by oss-fuzz:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=71096

No backport is needed.
---

diff --git a/src/tools.c b/src/tools.c
index 220f3fec25..15756c880b 100644
--- a/src/tools.c
+++ b/src/tools.c
@@ -6681,6 +6681,9 @@ char *fgets_from_mem(char* buf, int size, const char **position, const char *end
 		return NULL;
 
 	size--; /* keep fgets behaviour, reads at most one less than size */
+	if (size > end - *position)
+		size = end - *position;
+
 	new_pos = memchr(*position, '\n', size);
 	if (new_pos) {
 		/* '+1' to grab and copy '\n' at the end of line */