summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2014-06-19 00:42:28 -0400
committerRich Felker <dalias@aerifal.cx>2014-06-19 00:42:28 -0400
commitcef0f289f666b6c963bfd11537a6d80916ff889e (patch)
tree9360c286947f79ef1f3dc8ac98def74e125e7ba1
parent7c73cacd09a51a87484db5689864743e4984a84d (diff)
downloadmusl-cef0f289f666b6c963bfd11537a6d80916ff889e.tar.gz
musl-cef0f289f666b6c963bfd11537a6d80916ff889e.tar.bz2
musl-cef0f289f666b6c963bfd11537a6d80916ff889e.tar.xz
musl-cef0f289f666b6c963bfd11537a6d80916ff889e.zip
fix incorrect comparison loop condition in memmem
the logic for this loop was copied from null-terminated-string logic in strstr without properly adapting it to work with explicit lengths. presumably this error could result in false negatives (wrongly comparing past the end of the needle/haystack), false positives (stopping comparison early when the needle contains null bytes), and crashes (from runaway reads past the end of mapped memory).
-rw-r--r--src/string/memmem.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/string/memmem.c b/src/string/memmem.c
index 3b1ae183..d7e12219 100644
--- a/src/string/memmem.c
+++ b/src/string/memmem.c
@@ -112,8 +112,8 @@ static char *twoway_memmem(const unsigned char *h, const unsigned char *z, const
}
/* Compare right half */
- for (k=MAX(ms+1,mem); n[k] && n[k] == h[k]; k++);
- if (n[k]) {
+ for (k=MAX(ms+1,mem); k<l && n[k] == h[k]; k++);
+ if (k < l) {
h += k-ms;
mem = 0;
continue;