summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2016-04-01 13:36:15 -0400
committerRich Felker <dalias@aerifal.cx>2016-04-01 13:36:15 -0400
commitc718f9fc1b4bd913eff10d0c12763f90b2bc487c (patch)
tree7c34bd9ff1e852482c983b7755fbe47e97fb6bbb
parent5c3412d22555d03a1c00578ba8faaa8dc9206420 (diff)
downloadmusl-c718f9fc1b4bd913eff10d0c12763f90b2bc487c.tar.gz
musl-c718f9fc1b4bd913eff10d0c12763f90b2bc487c.tar.bz2
musl-c718f9fc1b4bd913eff10d0c12763f90b2bc487c.tar.xz
musl-c718f9fc1b4bd913eff10d0c12763f90b2bc487c.zip
fix read past end of haystack buffer for short needles in memmem
the two/three/four byte memmem specializations are not prepared to handle haystacks shorter than the needle; they unconditionally read at least up to the needle length and subtract from the haystack length. if the haystack is shorter, the remaining haystack length underflows and produces an unbounded search which will eventually either crash or find a spurious match. the top-level memmem function attempted to avoid this case already by checking for haystack shorter than needle, but it failed to re-check after using memchr to remove the maximal prefix not containing the first byte of the needle.
-rw-r--r--src/string/memmem.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/src/string/memmem.c b/src/string/memmem.c
index d7e12219..4be6a310 100644
--- a/src/string/memmem.c
+++ b/src/string/memmem.c
@@ -140,6 +140,7 @@ void *memmem(const void *h0, size_t k, const void *n0, size_t l)
h = memchr(h0, *n, k);
if (!h || l==1) return (void *)h;
k -= h - (const unsigned char *)h0;
+ if (k<l) return 0;
if (l==2) return twobyte_memmem(h, k, n);
if (l==3) return threebyte_memmem(h, k, n);
if (l==4) return fourbyte_memmem(h, k, n);