GHSL-2023-013: Memory corruption decoding UTF16

Memory corruption when decoding UTF16 strings (GHSL-2023-013)

Fixes defect GHSL-2023-013 found by the GitHub Security Lab team via
oss-fuzz.

The variable outlen was not initialized and could cause writing a zero
to an arbitrary place in memory if ntlm_str_convert() were to fail,
which would leave outlen uninitialized.

This can lead to a DoS if the write hits unmapped memory or randomly
corrupting a byte in the application memory space.

Make sure to zero out only if ntlm_str_convert() succeeds, but for good
measure also initialize outlen to 0.

Fixes CVE-2023-25564

Signed-off-by: Simo Sorce <simo@redhat.com>

Author: simo5

src/ntlm.c

@@ -299,7 +299,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
     char *in, *out = NULL;
     uint16_t str_len;
     uint32_t str_offs;
-    size_t outlen;
+    size_t outlen = 0;
     int ret = 0;
 
     str_len = le16toh(str_hdr->len);
@@ -320,13 +320,14 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
 
     ret = ntlm_str_convert(ctx->to_oem, in, out, str_len, &outlen);
 
-    /* make sure to terminate output string */
-    out[outlen] = '\0';
-
 done:
     if (ret) {
         safefree(out);
+    } else {
+        /* make sure to terminate output string */
+        out[outlen] = '\0';
     }
+
     *str = out;
     return ret;
 }