unescape: fix overflow on unescaping string (oss-fuzz 22132)

Signed-off-by: Eduardo Silva <eduardo@treasure-data.com>
fluent · May 11, 2020 · 0c222db · 0c222db
1 parent 77cb629
commit 0c222db
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/src/flb_unescape.c b/src/flb_unescape.c
@@ -126,17 +126,18 @@ int flb_unescape_string_utf8(const char *in_buf, int sz, char *out_buf)
 {
     uint32_t ch;
     char temp[4];
+    const char *end;
     const char *next;
 
     int count_out = 0;
     int count_in = 0;
     int esc_in = 0;
     int esc_out = 0;
 
-    while (*in_buf && count_in < sz) {
+    end = in_buf + sz;
+    while (in_buf < end && *in_buf && count_in < sz) {
         next = in_buf + 1;
-
-        if (*in_buf == '\\') {
+        if (next < end && *in_buf == '\\') {
             esc_in = 2;
             switch (*next) {
             case '"':