fix: out-of-bounds write on invalid label

When the label for a node cannot be parsed (due to it being malformed), it falls
back on the symbol name of the node itself. I.e. the default label the node
would have had if it had no label attribute at all. However, this is applied by
dynamically altering the node's label to "\N", a shortcut for the symbol name of
the node. All of this is fine, however if the hand written label itself is
shorter than the literal string "\N", not enough memory would have been
allocated to write "\N" into the label text.

Here we account for the possibility of error during label parsing, and assume
that the label text may need to be overwritten with "\N" after the fact. Fixes
issue #1700.

diff --git a/lib/common/shapes.c b/lib/common/shapes.c
index 0a0635fc36859ab3174abed03e36899d0fa7a526..9dca9ba6e798d1f79b7f6ee7ebb591211f08808a 100644 (file)
--- a/lib/common/shapes.c
+++ b/lib/common/shapes.c
@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
     reclblp = ND_label(n)->text;
     len = strlen(reclblp);
     /* For some forgotten reason, an empty label is parsed into a space, so
-     * we need at least two bytes in textbuf.
+     * we need at least two bytes in textbuf, as well as accounting for the
+     * error path involving "\\N" below.
      */
-    len = MAX(len, 1);
+    len = MAX(MAX(len, 1), (int)strlen("\\N"));
     textbuf = N_NEW(len + 1, char);
     if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
        agerr(AGERR, "bad label format %s\n", ND_label(n)->text);