Overhaul file and buffer operation

* Add buffer limit to avoid hogging all memory on malicious inputs.
* Drop use of PathIsRelative to remove dependency on shlwapi.
* Always allocate size+padding.
* Log an error if $INCLUDE is unsuccessful.

Author: k0ekk0ek

CMakeLists.txt

@@ -141,9 +141,6 @@ if(MINGW)
 endif()
 
 add_library(zone STATIC)
-if(WIN32)
-  target_link_libraries(zone INTERFACE shlwapi)
-endif()
 
 generate_export_header(
   zone BASE_NAME ZONE EXPORT_FILE_NAME include/zone/export.h)

include/zone.h

@@ -235,8 +235,8 @@ struct zone_file {
   // in error reports
   size_t span; /**< number of lines spanned by record */
   size_t line; /**< starting line of record */
-  char *name;
-  char *path;
+  char *name; /**< filename in control directive */
+  char *path; /**< absolute path */
   FILE *handle;
   bool grouped;
   bool start_of_line;
@@ -357,10 +357,11 @@ struct zone_parser {
   struct {
     size_t size;
     struct {
-      size_t serial;
+      size_t active;
       zone_name_buffer_t *blocks;
     } owner;
     struct {
+      size_t active;
       zone_rdata_buffer_t *blocks;
     } rdata;
   } buffers;

src/generic/format.h

@@ -251,8 +251,18 @@ static really_inline int32_t parse_dollar_include(
   file_t *file;
   if ((code = take_quoted_or_contiguous(parser, &include, &fields[0], token)) < 0)
     return code;
-  if ((code = zone_open_file(parser, token->data, token->length, &file)) < 0)
-    return code;
+
+  switch ((code = zone_open_file(parser, token->data, token->length, &file))) {
+    case ZONE_OUT_OF_MEMORY:
+      OUT_OF_MEMORY(parser, "Cannot open %s (%.*s), out of memory",
+                    NAME(&include), (int)token->length, token->data);
+    case ZONE_NOT_PERMITTED:
+      NOT_PERMITTED(parser, "Cannot open %s (%.*s), access denied",
+                    NAME(&include), (int)token->length, token->data);
+    case ZONE_NOT_A_FILE:
+      NOT_A_FILE(parser, "Cannot open %s (%.*s), no such file",
+                 NAME(&include), (int)token->length, token->data);
+  }
 
   name_buffer_t name;
   const name_buffer_t *origin = &parser->file->origin;

src/generic/parser.h

@@ -227,6 +227,8 @@ static never_inline int32_t raise_error(
   RAISE_ERROR((parser), ZONE_NOT_IMPLEMENTED, __VA_ARGS__)
 #define NOT_PERMITTED(parser, ...) \
   RAISE_ERROR((parser), ZONE_NOT_PERMITTED, __VA_ARGS__)
+#define NOT_A_FILE(parser, ...) \
+  RAISE_ERROR((parser), ZONE_NOT_A_FILE, __VA_ARGS__)
 
 // semantic errors in zone files are special as a secondary may choose
 // to report, but otherwise ignore them. e.g. a TTL with the MSB set. cases
@@ -243,12 +245,26 @@ static never_inline int32_t raise_error(
 
 nonnull_all
 warn_unused_result
-static really_inline int32_t refill(parser_t *parser)
+static really_inline int32_t reindex(parser_t *parser);
+
+// limit maximum size of buffer to avoid malicious inputs claiming all memory.
+// the maximum size of the buffer is the worst-case size of rdata, or 65535
+// bytes, in presentation format. comma-separated value lists as introduced
+// by RFC 9460 allow for double escaping. a reasonable limit is therefore
+// 65535 (rdata) * 4 (\DDD) * 4 (\DDD) + 64 (sufficiently large enough to
+// cover longest key and ancillary characters) bytes.
+#define MAXIMUM_WINDOW_SIZE (65535u * 4u * 4u + 64u)
+
+nonnull_all
+warn_unused_result
+static int32_t refill(parser_t *parser)
 {
   // refill if possible (i.e. not if string or if file is empty)
   if (parser->file->end_of_file)
     return 0;
 
+  assert(parser->file->handle);
+
   // move unread data to start of buffer
   char *data = parser->file->buffer.data + parser->file->buffer.index;
   // account for non-terminated character-strings
@@ -270,17 +286,21 @@ static really_inline int32_t refill(parser_t *parser)
 
   // allocate extra space if required
   if (parser->file->buffer.length == parser->file->buffer.size) {
-    size_t size = parser->file->buffer.size + ZONE_WINDOW_SIZE;
-    if (!(data = realloc(data, size + 1)))
-      OUT_OF_MEMORY(parser, "Cannot increase buffer size to %zu", size);
+    size_t size = parser->file->buffer.size;
+    if (parser->file->buffer.size >= MAXIMUM_WINDOW_SIZE)
+      SYNTAX_ERROR(parser, "Impossibly large input, exceeds %zu bytes", size);
+    size += ZONE_WINDOW_SIZE;
+    if (!(data = realloc(data, size + 1 + ZONE_PADDING_SIZE)))
+      OUT_OF_MEMORY(parser, "Not enough memory to allocate buffer of %zu", size);
     parser->file->buffer.size = size;
     parser->file->buffer.data = data;
   }
 
-  size_t count = fread(parser->file->buffer.data + parser->file->buffer.length,
-                       sizeof(parser->file->buffer.data[0]),
-                       parser->file->buffer.size - parser->file->buffer.length,
-                       parser->file->handle);
+  size_t count = fread(
+    parser->file->buffer.data + parser->file->buffer.length,
+    sizeof(parser->file->buffer.data[0]),
+    parser->file->buffer.size - parser->file->buffer.length,
+    parser->file->handle);
 
   if (!count && ferror(parser->file->handle))
     READ_ERROR(parser, "Cannot refill buffer");
@@ -292,10 +312,6 @@ static really_inline int32_t refill(parser_t *parser)
   return 0;
 }
 
-nonnull_all
-warn_unused_result
-static really_inline int32_t reindex(parser_t *parser);
-
 // do not invoke directly
 nonnull_all
 warn_unused_result