From cc3098b63174b8aa875d1f2e9c6ea94407b211b8 Mon Sep 17 00:00:00 2001
From: Rainer Gerhards <rgerhards@adiscon.com>
Date: Thu, 16 Feb 2017 19:02:36 +0100
Subject: [PATCH 04/11] Bug 1582517 - rsyslog: Buffer overflow in memcpy() in parser.c

core: fix potential misadressing in parser message sanitizer

misadressing could happen when an oversize message made it to the
sanitizer AND contained a control character in the oversize part
of the message. Note that it is an error in itself that such an
oversize message enters the system, but we harden the sanitizer
to handle this gracefully (it will truncate the message).

Note that truncation may still - as previously - happen if the
number of escape characters makes the string grow above the max
message size.

(cherry picked from commit 20f8237870eb5e971fa068e4dd4d296f1dbef329)
---
 runtime/parser.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/runtime/parser.c b/runtime/parser.c
index 0574d982a..9645baa40 100644
--- a/runtime/parser.c
+++ b/runtime/parser.c
@@ -464,9 +464,15 @@ SanitizeMsg(smsg_t *pMsg)
 	if(maxDest < sizeof(szSanBuf))
 		pDst = szSanBuf;
 	else 
-		CHKmalloc(pDst = MALLOC(iMaxLine + 1));
+		CHKmalloc(pDst = MALLOC(maxDest + 1));
 	if(iSrc > 0) {
 		iSrc--; /* go back to where everything is OK */
+		if(iSrc > maxDest) {
+			DBGPRINTF("parser.Sanitize: have oversize index %zd, "
+				"max %zd - corrected, but should not happen\n",
+				iSrc, maxDest);
+			iSrc = maxDest;
+		}
 		memcpy(pDst, pszMsg, iSrc); /* fast copy known good */
 	}
 	iDst = iSrc;
-- 
2.14.4