Fix buffer overread in ascii formatter

When a text with an (escaped) zero byte was passed to ParseValue, only the part of the string up to the zero byte was copied, but the length of the full string was passed to the input framework. This leads to the input manager reading over the end of the buffer. Fixes zeek/zeek#1398
2025-10-02 06:38:20 +00:00 · 2021-02-12 14:16:25 +00:00 · 2021-02-12 14:16:25 +00:00 · 61290fc19c
commit 61290fc19c
parent 021a31b29a
3 changed files with 7 additions and 2 deletions
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@ -225,7 +225,9 @@ Value* Ascii::ParseValue(const string& s, const string& name, TypeTag type, Type
 		{
 		string unescaped = util::get_unescaped_string(s);
 		val->val.string_val.length = unescaped.size();
-		val->val.string_val.data = util::copy_string(unescaped.c_str());
+		val->val.string_val.data = new char[val->val.string_val.length];
+		// we do not need a zero-byte at the end - the input manager adds that explicitly
+		memcpy(val->val.string_val.data, unescaped.data(), unescaped.size());
 		break;
 		}

--- a/testing/btest/Baseline/scripts.base.frameworks.input.binary/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.binary/out
@ -5,3 +5,5 @@ abc|\xffdef
 DATA2
 abc\xff|def
 DATA2
+abc\x00\x00\x00\xff|def
+DATA3
--- a/testing/btest/scripts/base/frameworks/input/binary.zeek
+++ b/testing/btest/scripts/base/frameworks/input/binary.zeek
@ -21,6 +21,7 @@ redef InputAscii::unset_field = "-";
 abc\x0a\xffdef|DATA2
 abc\x7c\xffdef|DATA2
 abc\xff\x7cdef|DATA2
+abc\x00\x00\x00\xff\x7cdef|DATA3
 #end|2012-07-20-01-49-19
@TEST-END-FILE

@ -37,7 +38,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, a: string, b
 	print outfile, a;
 	print outfile, b;
 	try = try + 1;
-	if ( try == 3 )
+	if ( try == 4 )
 		{
 		Input::remove("input");
 		close(outfile);