From 61290fc19c53ca0e78b326cdd981ca34f60670d3 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Fri, 12 Feb 2021 14:16:25 +0000
Subject: [PATCH 1/2] Fix buffer overread in ascii formatter

When a text with an (escaped) zero byte was passed to ParseValue, only
the part of the string up to the zero byte was copied, but the length of
the full string was passed to the input framework.

This leads to the input manager reading over the end of the buffer.

Fixes zeek/zeek#1398
---
 src/threading/formatters/Ascii.cc                             | 4 +++-
 .../btest/Baseline/scripts.base.frameworks.input.binary/out   | 2 ++
 testing/btest/scripts/base/frameworks/input/binary.zeek       | 3 ++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/threading/formatters/Ascii.cc b/src/threading/formatters/Ascii.cc
index ff43bfa27b..3cff8b02cf 100644
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -225,7 +225,9 @@ Value* Ascii::ParseValue(const string& s, const string& name, TypeTag type, Type
 		{
 		string unescaped = util::get_unescaped_string(s);
 		val->val.string_val.length = unescaped.size();
-		val->val.string_val.data = util::copy_string(unescaped.c_str());
+		val->val.string_val.data = new char[val->val.string_val.length];
+		// we do not need a zero-byte at the end - the input manager adds that explicitly
+		memcpy(val->val.string_val.data, unescaped.data(), unescaped.size());
 		break;
 		}
 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.binary/out b/testing/btest/Baseline/scripts.base.frameworks.input.binary/out
index 5c7202123e..3b2153d05a 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.binary/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.binary/out
@@ -5,3 +5,5 @@ abc|\xffdef
 DATA2
 abc\xff|def
 DATA2
+abc\x00\x00\x00\xff|def
+DATA3
diff --git a/testing/btest/scripts/base/frameworks/input/binary.zeek b/testing/btest/scripts/base/frameworks/input/binary.zeek
index fa98625997..b151c2a4b2 100644
--- a/testing/btest/scripts/base/frameworks/input/binary.zeek
+++ b/testing/btest/scripts/base/frameworks/input/binary.zeek
@@ -21,6 +21,7 @@ redef InputAscii::unset_field = "-";
 abc\x0a\xffdef|DATA2
 abc\x7c\xffdef|DATA2
 abc\xff\x7cdef|DATA2
+abc\x00\x00\x00\xff\x7cdef|DATA3
 #end|2012-07-20-01-49-19
 @TEST-END-FILE
 
@@ -37,7 +38,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, a: string, b
 	print outfile, a;
 	print outfile, b;
 	try = try + 1;
-	if ( try == 3 )
+	if ( try == 4 )
 		{
 		Input::remove("input");
 		close(outfile);

From 6c554ddde32cae3f7d2e6f9277668a00115dd6cf Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Fri, 12 Feb 2021 14:49:33 +0000
Subject: [PATCH 2/2] Ascii reader test with 0-bytes

Add a second test, which contains actual 0-bytes.
---
 .../scripts.base.frameworks.input.binary/out  |   2 ++
 .../scripts/base/frameworks/input/binary.zeek | Bin 1100 -> 1116 bytes
 2 files changed, 2 insertions(+)

diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.binary/out b/testing/btest/Baseline/scripts.base.frameworks.input.binary/out
index 3b2153d05a..7ddee73649 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.binary/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.binary/out
@@ -7,3 +7,5 @@ abc\xff|def
 DATA2
 abc\x00\x00\x00\xff|def
 DATA3
+abcd\x00\x00\x00ef
+DATA4
diff --git a/testing/btest/scripts/base/frameworks/input/binary.zeek b/testing/btest/scripts/base/frameworks/input/binary.zeek
index b151c2a4b289a43c93d060b852ed00b347723213..1ea89ea91ba9a63de9713337dbed2b7adf4288e9 100644
GIT binary patch
delta 34
pcmX@Zaff4r854hEQgR9d14C+Bjf-Q5qseAdCLKmb)5%H9uK={|3H|^8

delta 18
Zcmcb^afV}q8PjGrCT&JWlgUNQuK+tb1@8a=