From 85fbebe61a1aec2f86e36fb464283b6b55d3d76d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 23 Jun 2020 20:51:13 +0200
Subject: [PATCH] journal: fix buffer overrun when urlifying

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21122.

message is only valid until message_len, and we need to make sure we're not
reading pass that. Bug introduced in 2108b56749ebb8d17f06d08b6ada2f79ae4f0.
---
 src/shared/logs-show.c                       |   9 ++++++---
 test/fuzz/fuzz-journal-remote/oss-fuzz-21122 | Bin 0 -> 35798 bytes
 2 files changed, 6 insertions(+), 3 deletions(-)
 create mode 100644 test/fuzz/fuzz-journal-remote/oss-fuzz-21122

diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index 570377dc76..fee6ccdf2a 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -573,19 +573,22 @@ static int output_short(
                 if (config_file &&
                     message_len >= config_file_len &&
                     memcmp(message, config_file, config_file_len) == 0 &&
-                    IN_SET(message[config_file_len], ':', ' ', '\0') &&
+                    (message_len == config_file_len || IN_SET(message[config_file_len], ':', ' ')) &&
                     (!highlight || highlight_shifted[0] == 0 || highlight_shifted[0] > config_file_len)) {
 
                         _cleanup_free_ char *t = NULL, *urlified = NULL;
 
                         t = strndup(config_file, config_file_len);
                         if (t && terminal_urlify_path(t, NULL, &urlified) >= 0) {
-                                size_t shift = strlen(urlified) - config_file_len;
+                                size_t urlified_len = strlen(urlified);
+                                size_t shift = urlified_len - config_file_len;
                                 char *joined;
 
-                                joined = strjoin(urlified, message + config_file_len);
+                                joined = realloc(urlified, message_len + shift);
                                 if (joined) {
+                                        memcpy(joined + urlified_len, message + config_file_len, message_len - config_file_len);
                                         free_and_replace(message, joined);
+                                        TAKE_PTR(urlified);
                                         message_len += shift;
                                         if (highlight) {
                                                 highlight_shifted[0] += shift;
diff --git a/test/fuzz/fuzz-journal-remote/oss-fuzz-21122 b/test/fuzz/fuzz-journal-remote/oss-fuzz-21122
new file mode 100644
index 0000000000000000000000000000000000000000..e0e05e1675fce463e413337700dc839014c29a6d
GIT binary patch
literal 35798
zcmeI5L5tHs6vxN1r#a{+5OSBYNt?2J88F#)*W#vGnk<3}LA-eLB6tz$*^}SFuOO_S
z!IQ8bK|C&sHxbmCWLvY4wv#lS%%uNEXu6a4X5Refy$M6o9c$>t9_v{aO_J%zJB`P|
zC=nk~>;-4ca&6bK9exaK=kTCUts-GXg<CDVMabS(8)%?%dK6BM$0y10_;geoQOZX$
z@=ofjP#KtKW#wL313CSNsmSRzr}cKTrs>~IUfsxkhmifekk0jA7hF4kVgGZDa@+SA
zEuN10w8y#uqcNEgF$Hip2nl^7B=A`%ErNj0_-7}Dk$%kzXs&>l2)$IffWbUfYnx2w
z6|OyRGCl8+Ost&S#nE8(1_!#_kk%qGP@&;_$7VActT!cKV8rU}@}>g<dl0BVK<}hz
zpLZ382qqu^0w4eaIumH$t;(n#=^Pr(`=--SHctZ{fB*=XPvE)vT|f^&00ck)1V8`;
zK%g!HIxYC%3kZ}TP*)0|9uR0Rff5M?RT%>94HfiEV*)av2^|p7kbuTn1=m0T1VBIo
z0y<6H8sLBn#uLyfq80k`x~{g24*&x?;27YeY8UH@U(^EviV3Jr6|@He<p?NFh~>?h
z`Hv#X!G<;nfB+}3d>X(N1q2X-AkY8-1(7Y?L<8MNlOO;Bts{V6^R#YA(IF530T2KI
z5CDPd1f*AEhABR&M-1yV+$~R_dhWmy1a^f$`MiR~N&>qQIOwNV1Xji*E`or*1hmQ{
zI0FJk5=fFDoP=>D-?uh5l=f!Xo;!At^jxv6%hCBX3a4z$w{hWHqR?!&7yczZ?uwHr
z7Uyhd6LDoxyiz+!<~Cx#6k+$jCb5@FuAZ!V=2IH6h+FaF<^7Le7JI8KT2E_Aw_lO6
z<{O^~`8wZ~W$s65urL4tX#!iD4^XiT0qJpqA_&w+KqfR*>D1RN)C2+`u)75Cj@a&w
zJ$kM?fyK(4J)M1c)3JX&9)7zV+?hSPy88X@(~m#rFVdAYUw41McrUfKr!tHC<Utt4
z6E7I?b-M0|;2#Kp00@8pe!Qq^`MsnagkUuSzIc*Q%@kJG1eSzkBgGgL-3Vll_QZ3w
zpInFv_p&E*`A-$Cu4*ImWt9f5fk1l*5G8r8D=#nhSkYS%>&u)Tz47A2D2lz{j5)6D
WI<~_P_pm?c_36;-b{*<Dl>P(C1AK!3

literal 0
HcmV?d00001