Fix buffer overread in ascii formatter

When a text with an (escaped) zero byte was passed to ParseValue, only
the part of the string up to the zero byte was copied, but the length of
the full string was passed to the input framework.

This leads to the input manager reading over the end of the buffer.

Fixes zeek/zeek#1398

src/threading/formatters/Ascii.cc

@@ -225,7 +225,9 @@ Value* Ascii::ParseValue(const string& s, const string& name, TypeTag type, Type
 		{
 		string unescaped = util::get_unescaped_string(s);
 		val->val.string_val.length = unescaped.size();
-		val->val.string_val.data = util::copy_string(unescaped.c_str());
+		val->val.string_val.data = new char[val->val.string_val.length];
+		// we do not need a zero-byte at the end - the input manager adds that explicitly
+		memcpy(val->val.string_val.data, unescaped.data(), unescaped.size());
 		break;
 		}
 

testing/btest/Baseline/scripts.base.frameworks.input.binary/out

@@ -5,3 +5,5 @@ abc|\xffdef
 DATA2
 abc\xff|def
 DATA2
+abc\x00\x00\x00\xff|def
+DATA3

testing/btest/scripts/base/frameworks/input/binary.zeek

@@ -21,6 +21,7 @@ redef InputAscii::unset_field = "-";
 abc\x0a\xffdef|DATA2
 abc\x7c\xffdef|DATA2
 abc\xff\x7cdef|DATA2
+abc\x00\x00\x00\xff\x7cdef|DATA3
 #end|2012-07-20-01-49-19
 @TEST-END-FILE
 
@@ -37,7 +38,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, a: string, b
 	print outfile, a;
 	print outfile, b;
 	try = try + 1;
-	if ( try == 3 )
+	if ( try == 4 )
 		{
 		Input::remove("input");
 		close(outfile);