diff options
author | Rich Felker <dalias@aerifal.cx> | 2014-06-19 00:42:28 -0400 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2014-07-28 00:27:58 -0400 |
commit | c65dbec736419d706a2d3a0070ab3bedb0151f4a (patch) | |
tree | 04895e09392dbdcb892d23273e69629d1b53f82c | |
parent | f70401eae5c5ca3db2fbf8c7bf758eca40ab5bc3 (diff) | |
download | musl-c65dbec736419d706a2d3a0070ab3bedb0151f4a.tar.gz musl-c65dbec736419d706a2d3a0070ab3bedb0151f4a.tar.bz2 musl-c65dbec736419d706a2d3a0070ab3bedb0151f4a.tar.xz musl-c65dbec736419d706a2d3a0070ab3bedb0151f4a.zip |
fix incorrect comparison loop condition in memmem
the logic for this loop was copied from null-terminated-string logic
in strstr without properly adapting it to work with explicit lengths.
presumably this error could result in false negatives (wrongly
comparing past the end of the needle/haystack), false positives
(stopping comparison early when the needle contains null bytes), and
crashes (from runaway reads past the end of mapped memory).
(cherry picked from commit cef0f289f666b6c963bfd11537a6d80916ff889e)
-rw-r--r-- | src/string/memmem.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/string/memmem.c b/src/string/memmem.c index 3b1ae183..d7e12219 100644 --- a/src/string/memmem.c +++ b/src/string/memmem.c @@ -112,8 +112,8 @@ static char *twoway_memmem(const unsigned char *h, const unsigned char *z, const } /* Compare right half */ - for (k=MAX(ms+1,mem); n[k] && n[k] == h[k]; k++); - if (n[k]) { + for (k=MAX(ms+1,mem); k<l && n[k] == h[k]; k++); + if (k < l) { h += k-ms; mem = 0; continue; |