in_tail: fix out-of-bounds read in unesc_ends_with_nl

saddamr3e · edsiper · commit 0cd986aceded · 2026-06-19T10:42:46.000-06:00
An empty docker log message reaches unesc_ends_with_nl with len 0, so flb_unescape_string returns 0 and unesc[unesc_len - 1] reads one byte before the heap buffer. Guard the index on unesc_len.

Signed-off-by: saddamr3e &lt;saddamr3e@gmail.com&gt;
diff --git a/plugins/in_tail/tail_dockermode.c b/plugins/in_tail/tail_dockermode.c
@@ -190,7 +190,7 @@ static int unesc_ends_with_nl(char *str, size_t len)
         return FLB_FALSE;
     }
     unesc_len = flb_unescape_string(str, len, &unesc);
-    nl = unesc[unesc_len - 1] == '\n';
+    nl = unesc_len > 0 && unesc[unesc_len - 1] == '\n';
     flb_free(unesc);
     return nl;
 }

Original file line number	Diff line number	Diff line change
`@@ -190,7 +190,7 @@ static int unesc_ends_with_nl(char *str, size_t len)`
`190`	`190`	`return FLB_FALSE;`
`191`	`191`	`}`
`192`	`192`	`unesc_len = flb_unescape_string(str, len, &unesc);`
`193`		`- nl = unesc[unesc_len - 1] == '\n';`
	`193`	`+ nl = unesc_len > 0 && unesc[unesc_len - 1] == '\n';`
`194`	`194`	`flb_free(unesc);`
`195`	`195`	`return nl;`
`196`	`196`	`}`