From f5eaadb96fb94b2d3666e53a99495840a3099aec Mon Sep 17 00:00:00 2001
From: Tavian Barnes <tavianator@tavianator.com>
Date: Wed, 2 Oct 2024 16:01:36 -0400
Subject: color: Fix an assertion failure with embedded NUL bytes

Leading NUL bytes (e.g. `*\0.gz=...`) could cause us to insert a
non-prefix-free set of strings into the case-insensitive extension trie,
which would lead to crashes like

   bfs: trie_split@src/trie.c:538: Assertion failed: `key_nibble != rep_nibble`

and OOB accesses to trie leaf keys.  Fix it by ignoring those
extensions, since filenames cannot contain NUL bytes.

Fixes: 08030aea ("color: Delay the case_sensitive decision")
---
 src/color.c                      | 10 ++++++++++
 tests/bfs/color_ext_case_nul.out | 27 +++++++++++++++++++++++++++
 tests/bfs/color_ext_case_nul.sh  |  5 +++++
 3 files changed, 42 insertions(+)
 create mode 100644 tests/bfs/color_ext_case_nul.out
 create mode 100644 tests/bfs/color_ext_case_nul.sh

diff --git a/src/color.c b/src/color.c
index 37a22f9..0885726 100644
--- a/src/color.c
+++ b/src/color.c
@@ -237,6 +237,16 @@ static int insert_ext(struct trie *trie, struct ext_color *ext) {
 /** Set the color for an extension. */
 static int set_ext(struct colors *colors, dchar *key, dchar *value) {
 	size_t len = dstrlen(key);
+
+	// Embedded NUL bytes in extensions can lead to a non-prefix-free
+	// set of strings, e.g. {".gz", "\0.gz"} would be transformed to
+	// {"zg.\0", "zg.\0\0"} (showing the implicit terminating NUL).
+	// Our trie implementation only supports prefix-free key sets, but
+	// luckily '\0' cannot appear in filenames so we can ignore them.
+	if (memchr(key, '\0', len)) {
+		return 0;
+	}
+
 	struct ext_color *ext = varena_alloc(&colors->ext_arena, len + 1);
 	if (!ext) {
 		return -1;
diff --git a/tests/bfs/color_ext_case_nul.out b/tests/bfs/color_ext_case_nul.out
new file mode 100644
index 0000000..8ccd9a7
--- /dev/null
+++ b/tests/bfs/color_ext_case_nul.out
@@ -0,0 +1,27 @@
+[01;34m$'rainbow/\e[1m'[0m
+[01;34m$'rainbow/\e[1m/'[0m$'\e[0m'
+[01;34mrainbow[0m
+[01;34mrainbow/[0m[01;31mlower.gz[0m
+[01;34mrainbow/[0m[01;31mlower.tar.gz[0m
+[01;34mrainbow/[0m[01;31mlu.tar.GZ[0m
+[01;34mrainbow/[0m[01;31mul.TAR.gz[0m
+[01;34mrainbow/[0m[01;31mupper.GZ[0m
+[01;34mrainbow/[0m[01;31mupper.TAR.GZ[0m
+[01;34mrainbow/[0m[01;32mexec.sh[0m
+[01;34mrainbow/[0m[01;35msocket[0m
+[01;34mrainbow/[0m[01;36mbroken[0m
+[01;34mrainbow/[0m[01;36mchardev_link[0m
+[01;34mrainbow/[0m[01;36mlink.txt[0m
+[01;34mrainbow/[0m[30;42msticky_ow[0m
+[01;34mrainbow/[0m[30;43msgid[0m
+[01;34mrainbow/[0m[33mpipe[0m
+[01;34mrainbow/[0m[34;42mow[0m
+[01;34mrainbow/[0m[37;41msugid[0m
+[01;34mrainbow/[0m[37;41msuid[0m
+[01;34mrainbow/[0m[37;44msticky[0m
+[01;34mrainbow/[0mfile.dat
+[01;34mrainbow/[0mfile.txt
+[01;34mrainbow/[0mlower.tar
+[01;34mrainbow/[0mmh1
+[01;34mrainbow/[0mmh2
+[01;34mrainbow/[0mupper.TAR
diff --git a/tests/bfs/color_ext_case_nul.sh b/tests/bfs/color_ext_case_nul.sh
new file mode 100644
index 0000000..68fea1c
--- /dev/null
+++ b/tests/bfs/color_ext_case_nul.sh
@@ -0,0 +1,5 @@
+# Regression test: embedded NUL bytes in an extension caused an assertion
+# failure in the trie implementation
+
+export LS_COLORS='*.gz=01;31:*\0.GZ=01;32:'
+bfs_diff rainbow -color
-- 
cgit v1.2.3