string: Fix buffer overrun in picolibc/newlib/libc/string/strrchr.c (#184)

Reported by prodisDown: In picolibc/newlib/libc/string/strrchr.c if (i) { while ((s=strchr(s, i))) { last = s; s++; } } else { last = strchr(s, i); } Value (for example 0xFFFFFF00) in if (i) can pass test and then be typecasted to char inside strchr(). Then s++ and then buffer overrun. It can be fixed by preventive typecast i = (int) (char) i; or typecasting inside expression if ((char) i). Fixed by casting to char. Signed-off-by: Keith Packard <keithp@keithp.com>
2025-02-18 23:12:15 +08:00 · 2021-10-11 09:24:54 -07:00 · 2021-10-11 09:24:54 -07:00 · c51f05c597
commit c51f05c597
parent dcd564f65c
1 changed files with 5 additions and 4 deletions
--- a/newlib/libc/string/strrchr.c
+++ b/newlib/libc/string/strrchr.c
@ -34,10 +34,11 @@ strrchr (const char *s,
 	int i)
 {
  const char *last = NULL;
+  char c = i;

-  if (i)
+  if (c)
    {
-      while ((s=strchr(s, i)))
+      while ((s=strchr(s, c)))
 	{
 	  last = s;
 	  s++;
@ -45,8 +46,8 @@ strrchr (const char *s,
    }
  else
    {
-      last = strchr(s, i);
+      last = strchr(s, c);
    }
-		  
+
  return (char *) last;
 }