[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Jun 2017 15:37:19 +0200
From: Leah Neukirchen <leah@...u.org>
To: musl@...ts.openwall.com
Subject: Out-of-bounds read in twobyte_memmem
Hello,
As mentioned in #musl, twobyte_memmem in memmem.c does an out of
bounds read to the byte after the final byte of the buffer, when it
updates hw using *++h before checking k. Similar code in strstr is
unproblematic since there it will only read the NUL terminator.
Proposed solution is to rewrite the for-loop to make control flow
order explicit, but there may be a more idiomatic solution than this:
static char *twobyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
{
uint16_t nw = n[0]<<8 | n[1], hw = h[0]<<8 | h[1];
h++;
k--;
for (;;) {
if (hw == nw) return (char *)h-1;
if (!--k) return 0;
hw = hw<<8 | *++h;
}
return 0;
}
This bug was detected by @mourais during development of mblaze on
OpenBSD, using MALLOC_OPTIONS=G.
Thanks,
--
Leah Neukirchen <leah@...u.org> http://leah.zone
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
