json: fixed an off-by-one write that could corrupted the string null terminator

agrawroh · phlax · commit 5508210c91c0 · 2026-03-10T18:37:47.000Z
[CVE-2026-26309](GHSA-56cj-wgg3-x943) Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com> Signed-off-by: Ryan Northey <ryan@synca.io>
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -45,6 +45,10 @@ bug_fixes:
     destroyed. This could cause use-after-free conditions when filter callbacks were invoked on filters that
     had already received ``onDestroy()``. The fix ensures that ``decodeHeaders()``, ``decodeData()``,
     ``decodeTrailers()``, and ``decodeMetadata()`` are blocked after a downstream reset.
+- area: json
+  change: |
+    Fixed an off-by-one write in ``JsonEscaper::escapeString()`` that could corrupt the string null terminator
+    when the input string ends with a control character.
 
 removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
diff --git a/source/common/common/json_escape_string.h b/source/common/common/json_escape_string.h
@@ -68,8 +68,12 @@ class JsonEscaper {
           // Print character as unicode hex.
           sprintf(&result[position + 1], "u%04x", static_cast<int>(character));
           position += 6;
-          // Overwrite trailing null character.
-          result[position] = '\\';
+          // Overwrite trailing null character from `sprintf`, but only if there are more characters
+          // to process. If this is the last character then we must not write past the end of the
+          // string.
+          if (position < result.size()) {
+            result[position] = '\\';
+          }
         } else {
           // All other characters are added as-is.
           result[position++] = character;
diff --git a/test/common/common/logger_test.cc b/test/common/common/logger_test.cc
@@ -1,3 +1,4 @@
+#include <cstring>
 #include <memory>
 #include <string>
 
@@ -118,6 +119,36 @@ TEST(JsonEscapeTest, Escape) {
   expect_json_escape("\x1f", "\\u001f");
 }
 
+// Regression test for off-by-one write when control characters appear at the end of input.
+TEST(JsonEscapeTest, NulTerminatorIntegrity) {
+  const auto verify_nul_terminator = [](absl::string_view input) {
+    std::string escaped = JsonEscaper::escapeString(input, JsonEscaper::extraSpace(input));
+
+    // Verify the null terminator is intact.
+    EXPECT_EQ('\0', escaped.c_str()[escaped.size()])
+        << "null terminator corrupted for input ending with control character";
+
+    // Verify strlen matches the size. A corrupted null terminator would cause strlen
+    // to read past the string boundary.
+    EXPECT_EQ(escaped.size(), std::strlen(escaped.c_str()))
+        << "strlen mismatch indicates NUL terminator corruption";
+  };
+
+  // Test control characters at the end of input. These would trigger the buggy code path.
+  verify_nul_terminator("\x01");                           // Single control char.
+  verify_nul_terminator("\x00");                           // Single NUL.
+  verify_nul_terminator("test\x01");                       // Trailing control char.
+  verify_nul_terminator(absl::string_view("test\x00", 5)); // Trailing NUL.
+  verify_nul_terminator("\x01\x02");                       // Multiple control chars.
+  verify_nul_terminator("test\x01\x02");                   // Multiple trailing control chars.
+  verify_nul_terminator(std::string(100, 'A') + "\x1f");   // Large string ending with control char.
+
+  // Test control characters not at the end. These should always work.
+  verify_nul_terminator("\x01test");         // Leading control char.
+  verify_nul_terminator("te\x01st");         // Middle control char.
+  verify_nul_terminator("\x01test\x02more"); // Multiple control chars in middle.
+}
+
 class LoggerCustomFlagsTest : public testing::TestWithParam<spdlog::logger*> {
 public:
   LoggerCustomFlagsTest() : logger_(GetParam()) {}
