From 61290fc19c53ca0e78b326cdd981ca34f60670d3 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Fri, 12 Feb 2021 14:16:25 +0000
Subject: [PATCH] Fix buffer overread in ascii formatter

When a text with an (escaped) zero byte was passed to ParseValue, only
the part of the string up to the zero byte was copied, but the length of
the full string was passed to the input framework.

This leads to the input manager reading over the end of the buffer.

Fixes zeek/zeek#1398
---
 src/threading/formatters/Ascii.cc                             | 4 +++-
 .../btest/Baseline/scripts.base.frameworks.input.binary/out   | 2 ++
 testing/btest/scripts/base/frameworks/input/binary.zeek       | 3 ++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/threading/formatters/Ascii.cc b/src/threading/formatters/Ascii.cc
index ff43bfa27b..3cff8b02cf 100644
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -225,7 +225,9 @@ Value* Ascii::ParseValue(const string& s, const string& name, TypeTag type, Type
 		{
 		string unescaped = util::get_unescaped_string(s);
 		val->val.string_val.length = unescaped.size();
-		val->val.string_val.data = util::copy_string(unescaped.c_str());
+		val->val.string_val.data = new char[val->val.string_val.length];
+		// we do not need a zero-byte at the end - the input manager adds that explicitly
+		memcpy(val->val.string_val.data, unescaped.data(), unescaped.size());
 		break;
 		}
 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.binary/out b/testing/btest/Baseline/scripts.base.frameworks.input.binary/out
index 5c7202123e..3b2153d05a 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.binary/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.binary/out
@@ -5,3 +5,5 @@ abc|\xffdef
 DATA2
 abc\xff|def
 DATA2
+abc\x00\x00\x00\xff|def
+DATA3
diff --git a/testing/btest/scripts/base/frameworks/input/binary.zeek b/testing/btest/scripts/base/frameworks/input/binary.zeek
index fa98625997..b151c2a4b2 100644
--- a/testing/btest/scripts/base/frameworks/input/binary.zeek
+++ b/testing/btest/scripts/base/frameworks/input/binary.zeek
@@ -21,6 +21,7 @@ redef InputAscii::unset_field = "-";
 abc\x0a\xffdef|DATA2
 abc\x7c\xffdef|DATA2
 abc\xff\x7cdef|DATA2
+abc\x00\x00\x00\xff\x7cdef|DATA3
 #end|2012-07-20-01-49-19
 @TEST-END-FILE
 
@@ -37,7 +38,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, a: string, b
 	print outfile, a;
 	print outfile, b;
 	try = try + 1;
-	if ( try == 3 )
+	if ( try == 4 )
 		{
 		Input::remove("input");
 		close(outfile);