string: Fix buffer overrun in picolibc/newlib/libc/string/strrchr.c (#184)
Reported by prodisDown:
In picolibc/newlib/libc/string/strrchr.c
if (i) { while ((s=strchr(s, i))) { last = s; s++; } } else { last = strchr(s, i); }
Value (for example 0xFFFFFF00) in if (i) can pass test and
then be typecasted to char inside strchr(). Then s++ and then
buffer overrun.
It can be fixed by preventive typecast i = (int) (char) i; or
typecasting inside expression if ((char) i).
Fixed by casting to char.
Signed-off-by: Keith Packard <keithp@keithp.com>
This commit is contained in:
Keith Packard
Jeff Johnston
parent
dcd564f65c
commit
c51f05c597
|
|
@ -34,10 +34,11 @@ strrchr (const char *s,
|
||||||
int i)
|
int i)
|
||||||
{
|
{
|
||||||
const char *last = NULL;
|
const char *last = NULL;
|
||||||
|
char c = i;
|
||||||
|
|
||||||
if (i)
|
if (c)
|
||||||
{
|
{
|
||||||
while ((s=strchr(s, i)))
|
while ((s=strchr(s, c)))
|
||||||
{
|
{
|
||||||
last = s;
|
last = s;
|
||||||
s++;
|
s++;
|
||||||
|
|
@ -45,8 +46,8 @@ strrchr (const char *s,
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
last = strchr(s, i);
|
last = strchr(s, c);
|
||||||
}
|
}
|
||||||
|
|
||||||
return (char *) last;
|
return (char *) last;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue