From: Zbigniew Jędrzejewski-Szmek Date: Tue, 23 Jun 2020 18:51:13 +0000 (+0200) Subject: journal: fix buffer overrun when urlifying X-Git-Tag: v246-rc1~93^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=85fbebe61a1aec2f86e36fb464283b6b55d3d76d;p=thirdparty%2Fsystemd.git journal: fix buffer overrun when urlifying Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21122. message is only valid until message_len, and we need to make sure we're not reading pass that. Bug introduced in 2108b56749ebb8d17f06d08b6ada2f79ae4f0. --- diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c index 570377dc769..fee6ccdf2a1 100644 --- a/src/shared/logs-show.c +++ b/src/shared/logs-show.c @@ -573,19 +573,22 @@ static int output_short( if (config_file && message_len >= config_file_len && memcmp(message, config_file, config_file_len) == 0 && - IN_SET(message[config_file_len], ':', ' ', '\0') && + (message_len == config_file_len || IN_SET(message[config_file_len], ':', ' ')) && (!highlight || highlight_shifted[0] == 0 || highlight_shifted[0] > config_file_len)) { _cleanup_free_ char *t = NULL, *urlified = NULL; t = strndup(config_file, config_file_len); if (t && terminal_urlify_path(t, NULL, &urlified) >= 0) { - size_t shift = strlen(urlified) - config_file_len; + size_t urlified_len = strlen(urlified); + size_t shift = urlified_len - config_file_len; char *joined; - joined = strjoin(urlified, message + config_file_len); + joined = realloc(urlified, message_len + shift); if (joined) { + memcpy(joined + urlified_len, message + config_file_len, message_len - config_file_len); free_and_replace(message, joined); + TAKE_PTR(urlified); message_len += shift; if (highlight) { highlight_shifted[0] += shift; diff --git a/test/fuzz/fuzz-journal-remote/oss-fuzz-21122 b/test/fuzz/fuzz-journal-remote/oss-fuzz-21122 new file mode 100644 index 00000000000..e0e05e1675f Binary files /dev/null and b/test/fuzz/fuzz-journal-remote/oss-fuzz-21122 differ