|
|
# --- SDE-COPYRIGHT-NOTE-BEGIN ---# This copyright note is auto-generated by ./scripts/Create-CopyPatch.## Filename: package/.../musl/memmem.patch# Copyright (C) 2016 The OpenSDE Project## More information can be found in the files COPYING and README.## This patch file is dual-licensed. It is available under the license the# patched project is licensed under, as long as it is an OpenSource license# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms# of the GNU General Public License as published by the Free Software# Foundation; either version 2 of the License, or (at your option) any later# version.# --- SDE-COPYRIGHT-NOTE-END ---
From c718f9fc1b4bd913eff10d0c12763f90b2bc487c Mon Sep 17 00:00:00 2001From: Rich Felker <dalias@aerifal.cx>Date: Fri, 1 Apr 2016 13:36:15 -0400Subject: fix read past end of haystack buffer for short needles in memmem
the two/three/four byte memmem specializations are not prepared tohandle haystacks shorter than the needle; they unconditionally read atleast up to the needle length and subtract from the haystack length.if the haystack is shorter, the remaining haystack length underflowsand produces an unbounded search which will eventually either crash orfind a spurious match.
the top-level memmem function attempted to avoid this case already bychecking for haystack shorter than needle, but it failed to re-checkafter using memchr to remove the maximal prefix not containing thefirst byte of the needle.---
src/string/memmem.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/string/memmem.c b/src/string/memmem.c
index d7e1221..4be6a31 100644
--- a/src/string/memmem.c
+++ b/src/string/memmem.c
@@ -140,6 +140,7 @@ void *memmem(const void *h0, size_t k, const void *n0, size_t l)
h = memchr(h0, *n, k); if (!h || l==1) return (void *)h; k -= h - (const unsigned char *)h0;+ if (k<l) return 0;
if (l==2) return twobyte_memmem(h, k, n); if (l==3) return threebyte_memmem(h, k, n); if (l==4) return fourbyte_memmem(h, k, n);--
cgit v0.11.2
|
