From c753000eb31835c0664e528fbc99378ae0cbe950 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Feb 2023 12:14:20 -0500
Subject: [PATCH] GHSL-2023-013: Memory corruption decoding UTF16

Memory corruption when decoding UTF16 strings (GHSL-2023-013)

Fixes defect GHSL-2023-013 found by the GitHub Security Lab team via
oss-fuzz.

The variable outlen was not initialized and could cause writing a zero
to an arbitrary place in memory if ntlm_str_convert() were to fail,
which would leave outlen uninitialized.

This can lead to a DoS if the write hits unmapped memory or randomly
corrupting a byte in the application memory space.

Make sure to zero out only if ntlm_str_convert() succeeds, but for good
measure also initialize outlen to 0.

Fixes CVE-2023-25564

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 src/ntlm.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/ntlm.c b/src/ntlm.c
index df2458a..0ac1c03 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -299,7 +299,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
     char *in, *out = NULL;
     uint16_t str_len;
     uint32_t str_offs;
-    size_t outlen;
+    size_t outlen = 0;
     int ret = 0;
 
     str_len = le16toh(str_hdr->len);
@@ -320,13 +320,14 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
 
     ret = ntlm_str_convert(ctx->to_oem, in, out, str_len, &outlen);
 
-    /* make sure to terminate output string */
-    out[outlen] = '\0';
-
 done:
     if (ret) {
         safefree(out);
+    } else {
+        /* make sure to terminate output string */
+        out[outlen] = '\0';
     }
+
     *str = out;
     return ret;
 }