diff options
| author | Rich Felker <dalias@aerifal.cx> | 2016-04-01 13:36:15 -0400 | 
|---|---|---|
| committer | Rich Felker <dalias@aerifal.cx> | 2016-04-01 13:36:15 -0400 | 
| commit | c718f9fc1b4bd913eff10d0c12763f90b2bc487c (patch) | |
| tree | 7c34bd9ff1e852482c983b7755fbe47e97fb6bbb | |
| parent | 5c3412d22555d03a1c00578ba8faaa8dc9206420 (diff) | |
| download | musl-c718f9fc1b4bd913eff10d0c12763f90b2bc487c.tar.gz | |
fix read past end of haystack buffer for short needles in memmem
the two/three/four byte memmem specializations are not prepared to
handle haystacks shorter than the needle; they unconditionally read at
least up to the needle length and subtract from the haystack length.
if the haystack is shorter, the remaining haystack length underflows
and produces an unbounded search which will eventually either crash or
find a spurious match.
the top-level memmem function attempted to avoid this case already by
checking for haystack shorter than needle, but it failed to re-check
after using memchr to remove the maximal prefix not containing the
first byte of the needle.
| -rw-r--r-- | src/string/memmem.c | 1 | 
1 files changed, 1 insertions, 0 deletions
| diff --git a/src/string/memmem.c b/src/string/memmem.c index d7e12219..4be6a310 100644 --- a/src/string/memmem.c +++ b/src/string/memmem.c @@ -140,6 +140,7 @@ void *memmem(const void *h0, size_t k, const void *n0, size_t l)  	h = memchr(h0, *n, k);  	if (!h || l==1) return (void *)h;  	k -= h - (const unsigned char *)h0; +	if (k<l) return 0;  	if (l==2) return twobyte_memmem(h, k, n);  	if (l==3) return threebyte_memmem(h, k, n);  	if (l==4) return fourbyte_memmem(h, k, n); | 
