From 85fbebe61a1aec2f86e36fb464283b6b55d3d76d Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 23 Jun 2020 20:51:13 +0200
Subject: [PATCH] journal: fix buffer overrun when urlifying

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21122.

message is only valid until message_len, and we need to make sure we're not
reading pass that. Bug introduced in 2108b56749ebb8d17f06d08b6ada2f79ae4f0.
---
 src/shared/logs-show.c                       |   9 ++++++---
 test/fuzz/fuzz-journal-remote/oss-fuzz-21122 | Bin 0 -> 35798 bytes
 2 files changed, 6 insertions(+), 3 deletions(-)
 create mode 100644 test/fuzz/fuzz-journal-remote/oss-fuzz-21122

diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index 570377dc769..fee6ccdf2a1 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -573,19 +573,22 @@ static int output_short(
                 if (config_file &&
                     message_len >= config_file_len &&
                     memcmp(message, config_file, config_file_len) == 0 &&
-                    IN_SET(message[config_file_len], ':', ' ', '\0') &&
+                    (message_len == config_file_len || IN_SET(message[config_file_len], ':', ' ')) &&
                     (!highlight || highlight_shifted[0] == 0 || highlight_shifted[0] > config_file_len)) {
 
                         _cleanup_free_ char *t = NULL, *urlified = NULL;
 
                         t = strndup(config_file, config_file_len);
                         if (t && terminal_urlify_path(t, NULL, &urlified) >= 0) {
-                                size_t shift = strlen(urlified) - config_file_len;
+                                size_t urlified_len = strlen(urlified);
+                                size_t shift = urlified_len - config_file_len;
                                 char *joined;
 
-                                joined = strjoin(urlified, message + config_file_len);
+                                joined = realloc(urlified, message_len + shift);
                                 if (joined) {
+                                        memcpy(joined + urlified_len, message + config_file_len, message_len - config_file_len);
                                         free_and_replace(message, joined);
+                                        TAKE_PTR(urlified);
                                         message_len += shift;
                                         if (highlight) {
                                                 highlight_shifted[0] += shift;
diff --git a/test/fuzz/fuzz-journal-remote/oss-fuzz-21122 b/test/fuzz/fuzz-journal-remote/oss-fuzz-21122
new file mode 100644
index 0000000000000000000000000000000000000000..e0e05e1675fce463e413337700dc839014c29a6d
GIT binary patch
literal 35798
zc-rmV&ui0A0KoCLveP@vzd*=cig{_uc6s2-n$6<Uj3z@+Arvp(ya--IdiLc1;J+Zu
zzrmB>pCBHGvfB{Uq^WJAnRHu!rTu;gX_g=K?frhQ-JaDlvC)oY$t3Ce<|u9lev<8?
z*aXMga&1@HD&3m4+S_eNtBkf5ZA*x4Yt6|0uyfEpOb*&d{>)-jrYRYjLtj@eI(k=i
zr#BZ526`**_01lazj7}MrC$kgcao?L4^Got3s*kQ(2nP6SzaAAq@(MBma*uItO`hj
zAw=j^Lg49eYFP|;I^Ea2(cz!{_%MALohVVw>Umq_CWC!R<K#4VSEWH(M@w!ydRQt7
z02vyTV^GWifQA&bt7J}63c$QQB?<rl0GN#cGdTbiJg9a+IR>aP0br9Gcv1s&S+D6O
zrLZ~_Q9!u`Lrq|#D%WcMqX;q(K$nhg3BZ&hfQ`am^8f$<to=04<Jn*$ikUWmb^=s8
zpd16#m_RipNf36zc(odjD~IH=HFxYXj+-s(vVYQz!me%yS_Yn$JHz!%^6hr^5)9Ae
zE1MKf|M%`BnOq(vyJ37ymp!08DI*;X-b6mX_x{u9;le^Iditlg^0iC8{2dPRJLpW(
zAp+L1)RP(jZjSGW0jp{}_<hoU_o`-JJZgRY+`QF)cy{*V&4=$lPo51fr-S5gr*Eek
z+skPN_sRV*iaRFo)1OEL0APp;M&<M9<z$~E5Dm;uVNS*$kDaH)BHmK`W7(0g8leCd
smESk{w>PoT_O&QS7QQ&)N3jWxwQ_A&*(%-Ky++e%$d;+sl{8Aq-^v4gg8%>k

literal 0
Hc-jL100001

-- 
2.47.3