- Input is always dangerous.

- Add test that provokes stack overwrite.
- Prevent stack overwrite.

3 files changed, 9 insertions, 6 deletions

diff --git a/searchlib/src/tests/query/query-old.cpp b/searchlib/src/tests/query/query-old.cpp
index e8e0614f51a..204289ccf61 100644
--- a/searchlib/src/tests/query/query-old.cpp
+++ b/searchlib/src/tests/query/query-old.cpp
@@ -648,4 +648,9 @@ TEST("require that incorrectly specified diversity can be parsed") {
     EXPECT_FALSE(descending_query.isValid());
 }
 
+TEST("require that we do not f.. up the stack on bad query") {
+    QueryTermSimple term("<form><iframe+&#09;&#10;&#11;+src=\\\"javascript&#58;alert(1)\\\"&#11;&#10;&#09;;>", QueryTerm::WORD);
+    EXPECT_FALSE(term.isValid());
+}
+
 TEST_MAIN() { TEST_RUN_ALL(); }
diff --git a/searchlib/src/vespa/searchlib/fef/termfieldmatchdata.cpp b/searchlib/src/vespa/searchlib/fef/termfieldmatchdata.cpp
index 5c1b3df6f4e..7cfc6afa72d 100644
--- a/searchlib/src/vespa/searchlib/fef/termfieldmatchdata.cpp
+++ b/searchlib/src/vespa/searchlib/fef/termfieldmatchdata.cpp
@@ -1,8 +1,6 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 
 #include "termfieldmatchdata.h"
-#include "fieldinfo.h"
-#include <algorithm>
 
 namespace search::fef {
 
diff --git a/searchlib/src/vespa/searchlib/query/queryterm.cpp b/searchlib/src/vespa/searchlib/query/queryterm.cpp
index 694988ef74e..70cbcd37ee0 100644
--- a/searchlib/src/vespa/searchlib/query/queryterm.cpp
+++ b/searchlib/src/vespa/searchlib/query/queryterm.cpp
@@ -367,9 +367,9 @@ QueryTermSimple::QueryTermSimple(const string & term_, SearchTerm type) :
 {
     if (isFullRange(_term)) {
         stringref rest(_term.c_str() + 1, _term.size() - 2);
-        stringref parts[8];
+        stringref parts[9];
         size_t numParts(0);
-        while (! rest.empty() && (numParts < NELEMS(parts))) {
+        while (! rest.empty() && ((numParts + 1) < NELEMS(parts))) {
             size_t pos(rest.find(';'));
             if (pos != vespalib::string::npos) {
                 parts[numParts++] = rest.substr(0, pos);
@@ -382,8 +382,8 @@ QueryTermSimple::QueryTermSimple(const string & term_, SearchTerm type) :
                 rest = stringref();
             }
         }
-        _valid = (numParts >= 2);
-        if (numParts > 2) {
+        _valid = (numParts >= 2) && (numParts < NELEMS(parts));
+        if (_valid && numParts > 2) {
             _rangeLimit = strtol(parts[2].c_str(), NULL, 0);
             if (numParts > 3) {
                 _valid = (numParts >= 5);