svn commit: r339370 - head/lib/libc/string

Gleb Smirnoff glebius at FreeBSD.org
Mon Oct 15 20:20:58 UTC 2018 

Author: glebius
Date: Mon Oct 15 20:20:57 2018
New Revision: 339370
URL: https://svnweb.freebsd.org/changeset/base/339370

Log:
  Avoid OOB reads in memmem(3).
  
  commit 51bdcdc424bd7169c8cccdc2de7cad17f5ea0f70
  Author: Alexander Monakov <amonakov at ispras.ru>
  Date:   Fri Jun 30 00:35:33 2017 +0300
  
      fix OOB reads in Xbyte_memmem
  
      Reported by Leah Neukirchen.
  
  Reviewed by:	emaste
  Approved by:	re (kib)

Modified:
  head/lib/libc/string/memmem.c

Modified: head/lib/libc/string/memmem.c
==============================================================================
--- head/lib/libc/string/memmem.c	Mon Oct 15 20:11:53 2018	(r339369)
+++ head/lib/libc/string/memmem.c	Mon Oct 15 20:20:57 2018	(r339370)
@@ -31,27 +31,27 @@ __FBSDID("$FreeBSD$");
 static char *twobyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
 {
 	uint16_t nw = n[0]<<8 | n[1], hw = h[0]<<8 | h[1];
-	for (h++, k--; k; k--, hw = hw<<8 | *++h)
-		if (hw == nw) return (char *)h-1;
-	return 0;
+	for (h+=2, k-=2; k; k--, hw = hw<<8 | *h++)
+		if (hw == nw) return (char *)h-2;
+	return hw == nw ? (char *)h-2 : 0;
 }
 
 static char *threebyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
 {
 	uint32_t nw = n[0]<<24 | n[1]<<16 | n[2]<<8;
 	uint32_t hw = h[0]<<24 | h[1]<<16 | h[2]<<8;
-	for (h+=2, k-=2; k; k--, hw = (hw|*++h)<<8)
-		if (hw == nw) return (char *)h-2;
-	return 0;
+	for (h+=3, k-=3; k; k--, hw = (hw|*h++)<<8)
+		if (hw == nw) return (char *)h-3;
+	return hw == nw ? (char *)h-3 : 0;
 }
 
 static char *fourbyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
 {
 	uint32_t nw = n[0]<<24 | n[1]<<16 | n[2]<<8 | n[3];
 	uint32_t hw = h[0]<<24 | h[1]<<16 | h[2]<<8 | h[3];
-	for (h+=3, k-=3; k; k--, hw = hw<<8 | *++h)
-		if (hw == nw) return (char *)h-3;
-	return 0;
+	for (h+=4, k-=4; k; k--, hw = hw<<8 | *h++)
+		if (hw == nw) return (char *)h-4;
+	return hw == nw ? (char *)h-4 : 0;
 }
 
 #define MAX(a,b) ((a)>(b)?(a):(b))

More information about the svn-src-head mailing list