Buffer overflow vulnerability in rdfa_init_base()

[msporny]

Reported by David I. Lehn:

rdfa_init_base() has buffer overflows. Need to allocate an extra NULL byte on the working buffer you pass in so strstr() doesn't scan off the end. Or maybe find a rare non-broken strnstr implementation with the right license. I'd look at the other buffer issue valgrind found but that tool needs *gigs* of ram when running on the speed test.

Below is a simple patch, but it pushes the buffer a byte over even alignment, if that matters, and it may be wrong. I don't know the code so perhaps the NULL byte should be added where the buffer is filled. strnstr or similar would be nicer.

Also should use malloc instead of calloc since byte size was already calculated in wb_allocated. (It works here since sizeof(char) == 1, but if it was 2 then working_buffer would have been 2x the proper size.)

diff --git a/c/rdfa.c b/c/rdfa.c
index 9996a18..577e2cc 100644
--- a/c/rdfa.c
+++ b/c/rdfa.c
@@ -1214,7 +1214,9 @@ int rdfa_parse_start(rdfacontext* context)
    int rval = RDFA_PARSE_SUCCESS;

    context->wb_allocated = sizeof(char) * READ_BUFFER_SIZE;
-   context->working_buffer = (char*)calloc(context->wb_allocated, sizeof(char))
+   // allocate an extra byte for strstr safety NULL terminator
+   context->working_buffer = (char*)malloc(context->wb_allocated + 1);
+   context->working_buffer[context->wb_allocated] = 0;

 #ifndef LIBRDFA_IN_RAPTOR
    context->parser = XML_ParserCreate(NULL);