From: Dragan Dosen <ddosen@haproxy.com>
Date: Thu, 27 Jul 2023 18:30:42 +0000 (+0200)
Subject: BUG/MINOR: chunk: fix chunk_appendf() to not write a zero if buffer is full
X-Git-Tag: v2.9-dev3~85
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7596209eea21ee4e62ea24c8bc18e181d13f348;p=thirdparty%2Fhaproxy.git

BUG/MINOR: chunk: fix chunk_appendf() to not write a zero if buffer is full

If the buffer is completely full, the function chunk_appendf() would
write a zero past it, which can result in unexpected behavior.

Now we make a check before calling vsnprintf() and return the current
chunk size if no room is available.

This should be backported as far as 2.0.
---

diff --git a/src/chunk.c b/src/chunk.c
index 2d24fa596d..b9728e1c91 100644
--- a/src/chunk.c
+++ b/src/chunk.c
@@ -130,15 +130,19 @@ int chunk_printf(struct buffer *chk, const char *fmt, ...)
 int chunk_appendf(struct buffer *chk, const char *fmt, ...)
 {
 	va_list argp;
+	size_t room;
 	int ret;
 
 	if (!chk->area || !chk->size)
 		return 0;
 
+	room = chk->size - chk->data;
+	if (!room)
+		return chk->data;
+
 	va_start(argp, fmt);
-	ret = vsnprintf(chk->area + chk->data, chk->size - chk->data, fmt,
-			argp);
-	if (ret >= chk->size - chk->data)
+	ret = vsnprintf(chk->area + chk->data, room, fmt, argp);
+	if (ret >= room)
 		/* do not copy anything in case of truncation */
 		chk->area[chk->data] = 0;
 	else