Fix write buffer overflow by 1 in domain_to_punycode()

This issue has been triggered after the previous commit increased the size of label_buf. It has been found by OSS-Fuzz (issue 39226). The testcase is included into the unit tests.
2021-09-26 18:01:59 +02:00 · 2021-09-26 18:01:59 +02:00 · b2625f93f2
parent 304ca77522
commit b2625f93f2
2 changed files with 232 additions and 4 deletions
--- a/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256
+++ b/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256
@ -0,0 +1,231 @@
+^^Z^^^^^^^^^^^^^^^^^^^^rRRRINS===
+com
+邪
+蟹侔
+缘<EFBFBD>
+愿
+侏
+习
+愿
+侔
+愿
+俑
+侏
+习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习愿
+侔
+愿
+侏
+习
+愿
+侏
+习
+愿
+儇<EFBFBD>
+詭
+卸
+酆
+缀
+泄
+馗
+逊
+佾
+喜
+盏
+诟习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习愿
+侏
+<EFBFBD>
+酆
+缀
+泄
+馗
+逊
+佾
+喜
+盏7氕<EFBFBD>
+诟习
+咱<EFBFBD>
+缀
+泄
+馗
+逊佾
+喜
+盏
+诟习888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
+愿
+侏
+习
+証^^^^^^^^^^^^^^^^^^<5E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>^^^^^^^^m^^^^N^<5E>
+侏
+习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习愿
+侏
+习
+馗
+逊
+侔
+詾
+诟
+一一
+睾
+懈馗
+逊
+侔
+缘
+侏
+习愿
+侏
+习
+<EFBFBD>
+诟
+一
+睾
+夜
+馗
+逊
+侔愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏佾
+喜
+盏
+诟习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习愿
+侏
+<EFBFBD>
+酆
+缀
+<EFBFBD>
+习
+愿
+侏
+习愿
+侔
+愿
+侏
+习
+愿
+侏
+习
+愿
+儇<EFBFBD>
+詭
+卸
+酆
+缀M泄
+馗
+逊
+佾
+喜
+盏
+诟习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习愿
+侏
+<EFBFBD>
+酆
+缀
+泄
+馗
+逊
+佾
+喜
+盏
+诟习
+咱<EFBFBD>
+缀
+泄
+馗
+逊
+佾
+喜
+盏
+诟习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习
+愿
+侏
+习愿
+侏
+蟐^a^^^N^^^<5E>
+馗
+裗^^^^^^穅
+^^^<5E>
--- a/src/psl.c
+++ b/src/psl.c
@ -571,13 +571,11 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize)
 	for (e = label = domain; e; label = e + 1) {
 		e = strchr(label, '.');
 		labellen = e ? (size_t) (e - label) : strlen(label);
-		/* printf("s=%s inlen=%zd\n", label, labellen); */

 		if (mem_is_ascii(label, labellen)) {
 			if (outlen + labellen + (e != NULL) >= outsize)
 				return 1;

-			/* printf("outlen=%zd labellen=%zd\n", outlen, labellen); */
 			memcpy(out + outlen, label, labellen);
 			outlen += labellen;
 		} else {
@ -592,8 +590,7 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize)
 			memcpy(out + outlen, "xn--", 4);
 			outlen += 4;

-			labellen = outsize - outlen;
-			/* printf("n=%zd space_left=%zd\n", n, labellen); */
+			labellen = outsize - outlen - 1; // -1 to leave space for the trailing \0
 			if (punycode_encode(inputlen, input, &labellen, out + outlen))
 				return 1;
 			outlen += labellen;