Fixed invalid read (heap-buffer-overflow) when parsing an XFF spec vi…

…a JSON. This explicitly checks that p is less than the address of the null terminator, which ensures that the loop terminates before p can point beyond the end of the string. See allinurl#2492 using a JSON format. e.g., --log-format='{ "accessIpList": "~h{, }", "cookie": "%e", "httpHost": "%v", "timestamp": "%dT%t+%^", "method": "%m", "url": "%U", "status": "%s", "httpReferer": "%R", "bodyBytesSent": "%b", "requestTime": "%T", "ua": "%u" }' --date-format='%Y-%m-%d' --time-format=%T
Christophosaurus · Mar 29, 2023 · be1d51a · be1d51a
1 parent 156aea4
commit be1d51a
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/parser.c b/src/parser.c
@@ -1481,14 +1481,15 @@ special_specifier (GLogItem * logitem, char **str, char **p) {
 static int
 parse_format (GLogItem * logitem, char *str, char *lfmt) {
   char end[2 + 1] = { 0 };
-  char *p = NULL;
+  char *p = NULL, *last = NULL;
   int perc = 0, tilde = 0, ret = 0;
 
   if (str == NULL || *str == '\0')
     return 1;
 
   /* iterate over the log format */
-  for (p = lfmt; *p; p++) {
+  last = lfmt + strlen (lfmt);
+  for (p = lfmt; p < last; p++) {
     if (*p == '%') {
       perc++;
       continue;