Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Jun 2017 15:37:19 +0200
From: Leah Neukirchen <>
Subject: Out-of-bounds read in twobyte_memmem


As mentioned in #musl, twobyte_memmem in memmem.c does an out of
bounds read to the byte after the final byte of the buffer, when it
updates hw using *++h before checking k.  Similar code in strstr is
unproblematic since there it will only read the NUL terminator.

Proposed solution is to rewrite the for-loop to make control flow
order explicit, but there may be a more idiomatic solution than this:

static char *twobyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
        uint16_t nw = n[0]<<8 | n[1], hw = h[0]<<8 | h[1];
        for (;;) {
                if (hw == nw) return (char *)h-1;
                if (!--k) return 0;
                hw = hw<<8 | *++h;
        return 0;

This bug was detected by @mourais during development of mblaze on

Leah Neukirchen  <>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.