diff options
| author | Keith Packard <keithp@keithp.com> | 2021-10-11 09:24:54 -0700 |
|---|---|---|
| committer | Jeff Johnston <jjohnstn@redhat.com> | 2021-10-13 16:39:49 -0400 |
| commit | c51f05c59799fd03b15874a9608e613315dcb11c (patch) | |
| tree | 68f431702b12ce8441ba72c485dc1a6dbb506122 | |
| parent | dcd564f65caa96a9dc5c0d17020b9674a1a36e32 (diff) | |
| download | newlib-c51f05c59799fd03b15874a9608e613315dcb11c.zip newlib-c51f05c59799fd03b15874a9608e613315dcb11c.tar.gz newlib-c51f05c59799fd03b15874a9608e613315dcb11c.tar.bz2 | |
string: Fix buffer overrun in picolibc/newlib/libc/string/strrchr.c (#184)
Reported by prodisDown:
In picolibc/newlib/libc/string/strrchr.c
if (i) { while ((s=strchr(s, i))) { last = s; s++; } } else { last = strchr(s, i); }
Value (for example 0xFFFFFF00) in if (i) can pass test and
then be typecasted to char inside strchr(). Then s++ and then
buffer overrun.
It can be fixed by preventive typecast i = (int) (char) i; or
typecasting inside expression if ((char) i).
Fixed by casting to char.
Signed-off-by: Keith Packard <keithp@keithp.com>
| -rw-r--r-- | newlib/libc/string/strrchr.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/newlib/libc/string/strrchr.c b/newlib/libc/string/strrchr.c index 04897e1..35a7060 100644 --- a/newlib/libc/string/strrchr.c +++ b/newlib/libc/string/strrchr.c @@ -34,10 +34,11 @@ strrchr (const char *s, int i) { const char *last = NULL; + char c = i; - if (i) + if (c) { - while ((s=strchr(s, i))) + while ((s=strchr(s, c))) { last = s; s++; @@ -45,8 +46,8 @@ strrchr (const char *s, } else { - last = strchr(s, i); + last = strchr(s, c); } - + return (char *) last; } |