From 8e8c92c0ca8c87a7dfb8921ae8aa72e6b767d97e Mon Sep 17 00:00:00 2001
From: Anton Yuzhaninov <citrin+git@citrin.ru>
Date: Tue, 21 Sep 2021 10:00:17 +0100
Subject: [PATCH] [Fix] buffer overflow in rspamc counters

If request to /counters returns no symbols then max_len would have
a negative value:

Results for command: counters (0.003 seconds)
=================================================================
==22096==ERROR: AddressSanitizer: negative-size-param: (size=-2147483604)
    #0 0x33ff13 in __asan_memset (/usr/bin/rspamc+0x33ff13)
    #1 0x383432 in rspamc_counters_output /usr/src/debug/rspamd/src/client/rspamc.c:1064:2
    #2 0x388c49 in rspamc_client_cb /usr/src/debug/rspamd/src/client/rspamc.c:1600:6
    ...
---
 src/client/rspamc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/client/rspamc.c b/src/client/rspamc.c
index fb995288d..869a82b03 100644
--- a/src/client/rspamc.c
+++ b/src/client/rspamc.c
@@ -1035,7 +1035,8 @@ rspamc_counters_output (FILE *out, ucl_object_t *obj)
 	const ucl_object_t *cur, *sym, *weight, *freq, *freq_dev, *nhits;
 	ucl_object_iter_t iter = NULL;
 	gchar fmt_buf[64], dash_buf[82], sym_buf[82];
-	gint l, max_len = INT_MIN, i;
+	gint l, i;
+	gint max_len = sizeof("Symbol") - 1;
 	static const gint dashes = 44;
 
 	if (obj->type != UCL_ARRAY) {
@@ -1054,11 +1055,12 @@ rspamc_counters_output (FILE *out, ucl_object_t *obj)
 		if (sym != NULL) {
 			l = sym->len;
 			if (l > max_len) {
-				max_len = MIN (sizeof (dash_buf) - dashes - 1, l);
+				max_len = l;
 			}
 		}
 	}
 
+	max_len = MIN (sizeof (dash_buf) - dashes - 1, max_len);
 	rspamd_snprintf (fmt_buf, sizeof (fmt_buf),
 		"| %%3s | %%%ds | %%7s | %%13s | %%7s |\n", max_len);
 	memset (dash_buf, '-', dashes + max_len);
-- 
2.39.5