From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Mon, 15 Sep 2025 14:22:01 +0000 (+0000)
Subject: Fix parsing of malformed quoted squid.conf strings (#2239)
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=20681dbd20c4e0e7950626f277832daeb7fb71da;p=thirdparty%2Fsquid.git

Fix parsing of malformed quoted squid.conf strings (#2239)

Iteration of a quoted token that ends with a backslash (escape with no
next char) kept going past the end of the token. That bug as well as
hypothetical 2KB-byte tokens (exceeding CONFIG_LINE_LIMIT) could also
result in a 1-byte NUL overrun.
---

diff --git a/src/ConfigParser.cc b/src/ConfigParser.cc
index 283856675f..4794763cc8 100644
--- a/src/ConfigParser.cc
+++ b/src/ConfigParser.cc
@@ -146,8 +146,13 @@ ConfigParser::UnQuote(const char *token, const char **next)
     const char  *s = token + 1;
     char *d = UnQuoted;
     /* scan until the end of the quoted string, handling escape sequences*/
-    while (*s && *s != quoteChar && !errorStr && (size_t)(d - UnQuoted) < sizeof(UnQuoted)) {
+    while (*s && *s != quoteChar && !errorStr && (size_t)(d - UnQuoted) < sizeof(UnQuoted) - 1) {
         if (*s == '\\') {
+            if (s[1] == '\0') {
+                errorStr = "Unterminated escape sequence";
+                errorPos = s;
+                break;
+            }
             s++;
             switch (*s) {
             case 'r':