ucl_check_variable: fix out_len on unterminated variable

If the input contains '${' but no following '}', ucl_check_variable should still increment out_len since ucl_expand_variable will copy the '$' in the destination buffer. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24591
vstakhov · vstakhov · Jan 6, 2022 · Jan 4, 2022 · Jan 4, 2022 · Jan 4, 2022
commit 3a94514709b7d0d3420f96549172059bfaac2b65
diff --git a/src/ucl_parser.c b/src/ucl_parser.c
@@ -395,6 +395,9 @@ ucl_check_variable (struct ucl_parser *parser, const char *ptr,
  }
  p ++;
  }
+ if(p == end) {
+ (*out_len) ++;
+ }
  }
  else if (*ptr != '$') {
  /* Not count escaped dollar sign */