From 87803328179524f0b3982529b6cf6e3c2e07fe68 Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Thu, 18 May 2023 17:59:33 -0700
Subject: [PATCH] blf: don't assume that app text is null-terminated in the
 file.

When reading the text from an app text message, allocate a buffer one
byte larger than the size of the message, and set that byte to '\0'
after reading the message text, to ensure that the text is
null-terminated and can be safely handed to routines that process C
strings.

Fixes #19084.
---
 wiretap/blf.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/wiretap/blf.c b/wiretap/blf.c
index 4c6ede9c5b1..ae1d95c37a0 100644
--- a/wiretap/blf.c
+++ b/wiretap/blf.c
@@ -1979,13 +1979,15 @@ blf_read_apptextmessage(blf_params_t *params, int *err, gchar **err_info, gint64
         return TRUE;
     }
 
-    gchar *text = g_try_malloc0((gsize)apptextheader.textLength);
+    /* Add an extra byte for a terminating '\0' */
+    gchar *text = g_try_malloc((gsize)apptextheader.textLength + 1);
 
     if (!blf_read_bytes(params, data_start + sizeof(apptextheader), text, apptextheader.textLength, err, err_info)) {
         ws_debug("not enough bytes for apptext text in file");
         g_free(text);
         return FALSE;
     }
+    text[apptextheader.textLength] = '\0'; /* Here's the '\0' */
 
     /* returns a NULL terminated array of NULL terminates strings */
     gchar **tokens = g_strsplit_set(text, ";", -1);