From: Tim Duesterhus <tim@bastelstu.be>
Date: Sat, 28 Aug 2021 22:58:22 +0000 (+0200)
Subject: BUG/MINOR: tools: Fix loop condition in dump_text()
X-Git-Tag: v2.3.14~10
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=5a33a840a157641ff14dce2fe266363762a35a2f;p=haproxy-2.3.git

BUG/MINOR: tools: Fix loop condition in dump_text()

The condition should first check whether `bsize` is reached, before
dereferencing the offset. Even if this always works fine, due to the
string being null-terminated, this certainly looks odd.

Found using GitHub's CodeQL scan.

This bug traces back to at least 97c2ae13bc0d7961a348102d6719fbcaf34d46d5
(1.7.0+) and this patch should be backported accordingly.

(cherry picked from commit 18795d48a9bb09aedc57e547029828a56322e49d)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit cd5521e7ca7472bf69874603c0c5785d4ff1d1e2)
Signed-off-by: Willy Tarreau <w@1wt.eu>
---

diff --git a/src/tools.c b/src/tools.c
index 5d67bd7..b985c26 100644
--- a/src/tools.c
+++ b/src/tools.c
@@ -4299,9 +4299,9 @@ int may_access(const void *ptr)
 int dump_text(struct buffer *out, const char *buf, int bsize)
 {
 	unsigned char c;
-	int ptr = 0;
+	size_t ptr = 0;
 
-	while (buf[ptr] && ptr < bsize) {
+	while (ptr < bsize && buf[ptr]) {
 		c = buf[ptr];
 		if (isprint((unsigned char)c) && isascii((unsigned char)c) && c != '\\' && c != ' ' && c != '=') {
 			if (out->data > out->size - 1)