From: Willy Tarreau Date: Wed, 7 May 2025 05:22:24 +0000 (+0200) Subject: BUG/MINOR: tools: only fill first empty arg when not out of range X-Git-Tag: v3.2-dev15~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=10e6d0bd57;p=thirdparty%2Fhaproxy.git BUG/MINOR: tools: only fill first empty arg when not out of range In commit 3f2c8af313 ("MINOR: tools: make parse_line() provide hints about empty args") we've added the ability to record the position of the first empty arg in parse_line(), but that check requires to access the args[] array for the current arg, which is not valid in case we stopped on too large an argument count. Let's just check the arg's validity before doing so. This was reported by OSS Fuzz: https://issues.oss-fuzz.com/issues/415850462 No backport is needed since this was in the latest dev branch. --- diff --git a/src/tools.c b/src/tools.c index 73335d21e..313396823 100644 --- a/src/tools.c +++ b/src/tools.c @@ -6439,7 +6439,7 @@ uint32_t parse_line(char *in, char *out, size_t *outlen, char **args, int *nbarg err |= PARSE_ERR_TOOMANY; } if (prev_in_arg && !in_arg) { - if (!empty_arg_ptr && args[arg] == out + arg_start) + if (!empty_arg_ptr && arg < argsmax && args[arg] == out + arg_start) empty_arg_ptr = begin_new_arg; EMIT_CHAR(0); arg++; @@ -6481,7 +6481,7 @@ uint32_t parse_line(char *in, char *out, size_t *outlen, char **args, int *nbarg } if (prev_in_arg && !in_arg) { - if (!empty_arg_ptr && args[arg] == out + arg_start) + if (!empty_arg_ptr && arg < argsmax && args[arg] == out + arg_start) empty_arg_ptr = begin_new_arg; EMIT_CHAR(0); arg++; @@ -6490,7 +6490,7 @@ uint32_t parse_line(char *in, char *out, size_t *outlen, char **args, int *nbarg /* end of output string */ if (in_arg) { - if (!empty_arg_ptr && args[arg] == out + arg_start) + if (!empty_arg_ptr && arg < argsmax && args[arg] == out + arg_start) empty_arg_ptr = begin_new_arg; EMIT_CHAR(0); arg++;