Fix write buffer overflow by 1 in domain_to_punycode()

This issue has been triggered after the previous commit increased the size of label_buf. It has been found by OSS-Fuzz (issue 39226). The testcase is included into the unit tests.
2021-09-26 18:01:59 +02:00 · 2021-09-26 18:01:59 +02:00 · b2625f93f2
parent 304ca77522
commit b2625f93f2
2 changed files with 232 additions and 4 deletions
--- a/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256
+++ b/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256
@ -0,0 +1,231 @@
 ^^Z^^^^^^^^^^^^^^^^^^^^rRRRINS===
 com
 邪
 蟹侔
 缘<EFBFBD>
 愿
 侏
 习
 愿
 侔
 愿
 俑
 侏
 习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习愿
 侔
 愿
 侏
 习
 愿
 侏
 习
 愿
 儇<EFBFBD>
 詭
 卸
 酆
 缀
 泄
 馗
 逊
 佾
 喜
 盏
 诟习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习愿
 侏
 <EFBFBD>
 酆
 缀
 泄
 馗
 逊
 佾
 喜
 盏7氕<EFBFBD>
 诟习
 咱<EFBFBD>
 缀
 泄
 馗
 逊佾
 喜
 盏
 诟习888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
 愿
 侏
 习
 証^^^^^^^^^^^^^^^^^^<5E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>^^^^^^^^m^^^^N^<5E>
 侏
 习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习愿
 侏
 习
 馗
 逊
 侔
 詾
 诟
 一一
 睾
 懈馗
 逊
 侔
 缘
 侏
 习愿
 侏
 习
 <EFBFBD>
 诟
 一
 睾
 夜
 馗
 逊
 侔愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏佾
 喜
 盏
 诟习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习愿
 侏
 <EFBFBD>
 酆
 缀
 <EFBFBD>
 习
 愿
 侏
 习愿
 侔
 愿
 侏
 习
 愿
 侏
 习
 愿
 儇<EFBFBD>
 詭
 卸
 酆
 缀M泄
 馗
 逊
 佾
 喜
 盏
 诟习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习愿
 侏
 <EFBFBD>
 酆
 缀
 泄
 馗
 逊
 佾
 喜
 盏
 诟习
 咱<EFBFBD>
 缀
 泄
 馗
 逊
 佾
 喜
 盏
 诟习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习
 愿
 侏
 习愿
 侏
 蟐^a^^^N^^^<5E>
 馗
 裗^^^^^^穅
 ^^^<5E>
--- a/src/psl.c
+++ b/src/psl.c
@ -571,13 +571,11 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize)
 	for (e = label = domain; e; label = e + 1) {
 		e = strchr(label, '.');
 		labellen = e ? (size_t) (e - label) : strlen(label);
 		/* printf("s=%s inlen=%zd\n", label, labellen); */
 		if (mem_is_ascii(label, labellen)) {
 			if (outlen + labellen + (e != NULL) >= outsize)
 				return 1;
 			/* printf("outlen=%zd labellen=%zd\n", outlen, labellen); */
 			memcpy(out + outlen, label, labellen);
 			outlen += labellen;
 		} else {
@ -592,8 +590,7 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize)
 			memcpy(out + outlen, "xn--", 4);
 			outlen += 4;
-			labellen = outsize - outlen;
+			labellen = outsize - outlen - 1; // -1 to leave space for the trailing \0
 			/* printf("n=%zd space_left=%zd\n", n, labellen); */
 			if (punycode_encode(inputlen, input, &labellen, out + outlen))
 				return 1;
 			outlen += labellen;