basic/ellipsize: do not assume the string is NUL-terminated when length is given

oss-fuzz flags this as: ==1==WARNING: MemorySanitizer: use-of-uninitialized-value 0. 0x7fce77519ca5 in ascii_is_valid systemd/src/basic/utf8.c:252:9 1. 0x7fce774d203c in ellipsize_mem systemd/src/basic/string-util.c:544:13 2. 0x7fce7730a299 in print_multiline systemd/src/shared/logs-show.c:244:37 3. 0x7fce772ffdf3 in output_short systemd/src/shared/logs-show.c:495:25 4. 0x7fce772f5a27 in show_journal_entry systemd/src/shared/logs-show.c:1077:15 5. 0x7fce772f66ad in show_journal systemd/src/shared/logs-show.c:1164:29 6. 0x4a2fa0 in LLVMFuzzerTestOneInput systemd/src/fuzz/fuzz-journal-remote.c:64:21 ... I didn't reproduce the issue, but this looks like an obvious error: the length is specified, so we shouldn't use the string with any functions for normal C-strings.
2018-06-09 13:41:44 +02:00 · 2018-06-09 13:41:44 +02:00 · 21e4e3e06f
parent 4215ed6dbd
commit 21e4e3e06f
4 changed files with 11 additions and 2 deletions
--- a/src/basic/format-table.c
+++ b/src/basic/format-table.c
@ -1174,7 +1174,7 @@ int table_print(Table *t, FILE *f) {
                        if (l > width[j]) {
                                /* Field is wider than allocated space. Let's ellipsize */

-                                buffer = ellipsize_mem(field, (size_t) -1, width[j], d->ellipsize_percent);
+                                buffer = ellipsize(field, width[j], d->ellipsize_percent);
                                if (!buffer)
                                        return -ENOMEM;

--- a/src/basic/string-util.c
+++ b/src/basic/string-util.c
@ -541,7 +541,7 @@ char *ellipsize_mem(const char *s, size_t old_length, size_t new_length, unsigne
                return strdup("");

        /* If no multibyte characters use ascii_ellipsize_mem for speed */
-        if (ascii_is_valid(s))
+        if (ascii_is_valid_n(s, old_length))
                return ascii_ellipsize_mem(s, old_length, new_length, percent);

        x = ((new_length - 1) * percent) / 100;
--- a/test/fuzz-regressions/fuzz-journal-remote/oss-fuzz-8659
+++ b/test/fuzz-regressions/fuzz-journal-remote/oss-fuzz-8659
--- a/test/fuzz-regressions/meson.build
+++ b/test/fuzz-regressions/meson.build
@ -18,6 +18,7 @@ fuzz_regression_tests = '''
        fuzz-dns-packet/oss-fuzz-5465
        fuzz-journal-remote/crash-5a8f03d4c3a46fcded39527084f437e8e4b54b76
        fuzz-journal-remote/crash-96dee870ea66d03e89ac321eee28ea63a9b9aa45
+        fuzz-journal-remote/oss-fuzz-8659
        fuzz-journal-remote/oss-fuzz-8686
        fuzz-unit-file/oss-fuzz-6884
        fuzz-unit-file/oss-fuzz-6885