blf: don't assume that app text is null-terminated in the file.

When reading the text from an app text message, allocate a buffer one byte larger than the size of the message, and set that byte to '\0' after reading the message text, to ensure that the text is null-terminated and can be safely handed to routines that process C strings. Fixes #19084. (cherry picked from commit 8780332)
wireshark · May 19, 2023 · 88311a4 · 88311a4
1 parent da01747
commit 88311a4
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/wiretap/blf.c b/wiretap/blf.c
@@ -1731,13 +1731,15 @@ blf_read_apptextmessage(blf_params_t *params, int *err, gchar **err_info, gint64
         return TRUE;
     }
 
-    gchar *text = g_try_malloc0((gsize)apptextheader.textLength);
+    /* Add an extra byte for a terminating '\0' */
+    gchar *text = g_try_malloc((gsize)apptextheader.textLength + 1);
 
     if (!blf_read_bytes(params, data_start + sizeof(apptextheader), text, apptextheader.textLength, err, err_info)) {
         ws_debug("not enough bytes for apptext text in file");
         g_free(text);
         return FALSE;
     }
+    text[apptextheader.textLength] = '\0'; /* Here's the '\0' */
 
     /* returns a NULL terminated array of NULL terminates strings */
     gchar **tokens = g_strsplit_set(text, ";", -1);