ALT Linux Sisyphus

From b2625f93f2dcb28ea6c4b33d4cb7ff50a24f3c00 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Sun, 26 Sep 2021 18:01:59 +0200
Subject: [PATCH] Fix write buffer overflow by 1 in domain_to_punycode()

This issue has been triggered after the previous commit increased
the size of label_buf.

It has been found by OSS-Fuzz (issue 39226).
The testcase is included into the unit tests.
---
 ...stcase-libpsl_load_fuzzer-5191070590304256 | 231 ++++++++++++++++++
 src/psl.c                                     |   5 +-
 2 files changed, 232 insertions(+), 4 deletions(-)
 create mode 100644 fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256

diff --git a/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256 b/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256
new file mode 100644
index 0000000..9d276c1
--- /dev/null
+++ b/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256
@@ -0,0 +1,231 @@
+^^Z^^^^^^^^^^^^^^^^^^^^rRRRINS===
+com
+п╟
+п╥ы╟
+т╣╟
+т╦
+ы╙
+о╟
+т╦
+ы╟
+т╦
+ы╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟т╦
+ы╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ыь©
+т▌
+п╤
+ш╨
+в╨
+п╧
+ь╦
+я╥
+ы╚
+о╡
+у╣
+з╦о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟т╦
+ы╙
+╤
+ш╨
+в╨
+п╧
+ь╦
+я╥
+ы╚
+о╡
+у╣7К╜▐
+з╦о╟
+тш╨
+в╨
+п╧
+ь╦
+я╥ы╚
+о╡
+у╣
+з╦о╟888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
+т╦
+ы╙
+о╟
+т^^^^^^^^^^^^^^^^^^^░ЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪЪ^^^^^^^^m^^^^N^╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟т╦
+ы╙
+о╟
+ь╦
+я╥
+ы╟
+т·
+з╦
+р╩р╩
+ь╨
+п╦ь╦
+я╥
+ы╟
+т╣
+ы╙
+о╟т╦
+ы╙
+о╟
+т
+з╦
+р╩
+ь╨
+р╧
+ь╦
+я╥
+ы╟т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙ы╚
+о╡
+у╣
+з╦о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟т╦
+ы╙
+╤
+ш╨
+в╨
+п
+о╟
+т╦
+ы╙
+о╟т╦
+ы╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ыь©
+т▌
+п╤
+ш╨
+в╨Mп╧
+ь╦
+я╥
+ы╚
+о╡
+у╣
+з╦о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟т╦
+ы╙
+╤
+ш╨
+в╨
+п╧
+ь╦
+я╥
+ы╚
+о╡
+у╣
+з╦о╟
+тш╨
+в╨
+п╧
+ь╦
+я╥
+ы╚
+о╡
+у╣
+з╦о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟
+т╦
+ы╙
+о╟т╦
+ы╙
+о^^a^^^N^^^╟
+ь╦
+я^^^^^^^╥^
+^^^░
\ No newline at end of file
diff --git a/src/psl.c b/src/psl.c
index 617753d..73fbe30 100644
--- a/src/psl.c
+++ b/src/psl.c
@@ -571,13 +571,11 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize)
 	for (e = label = domain; e; label = e + 1) {
 		e = strchr(label, '.');
 		labellen = e ? (size_t) (e - label) : strlen(label);
-		/* printf("s=%s inlen=%zd\n", label, labellen); */
 
 		if (mem_is_ascii(label, labellen)) {
 			if (outlen + labellen + (e != NULL) >= outsize)
 				return 1;
 
-			/* printf("outlen=%zd labellen=%zd\n", outlen, labellen); */
 			memcpy(out + outlen, label, labellen);
 			outlen += labellen;
 		} else {
@@ -592,8 +590,7 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize)
 			memcpy(out + outlen, "xn--", 4);
 			outlen += 4;
 
-			labellen = outsize - outlen;
-			/* printf("n=%zd space_left=%zd\n", n, labellen); */
+			labellen = outsize - outlen - 1; // -1 to leave space for the trailing \0
 			if (punycode_encode(inputlen, input, &labellen, out + outlen))
 				return 1;
 			outlen += labellen;
-- 
2.33.5