4
0
mirror of git://sourceware.org/git/newlib-cygwin.git synced 2025-01-25 16:47:20 +08:00
Keith Packard c51f05c597 string: Fix buffer overrun in picolibc/newlib/libc/string/strrchr.c (#184)
Reported by prodisDown:

	In picolibc/newlib/libc/string/strrchr.c

	if (i) { while ((s=strchr(s, i))) { last = s; s++; } } else { last = strchr(s, i); }

	Value (for example 0xFFFFFF00) in if (i) can pass test and
	then be typecasted to char inside strchr(). Then s++ and then
	buffer overrun.

	It can be fixed by preventive typecast i = (int) (char) i; or
	typecasting inside expression if ((char) i).

Fixed by casting to char.

Signed-off-by: Keith Packard <keithp@keithp.com>
2021-10-13 16:39:49 -04:00

54 lines
823 B
C

/*
FUNCTION
<<strrchr>>---reverse search for character in string
INDEX
strrchr
SYNOPSIS
#include <string.h>
char * strrchr(const char *<[string]>, int <[c]>);
DESCRIPTION
This function finds the last occurence of <[c]> (converted to
a char) in the string pointed to by <[string]> (including the
terminating null character).
RETURNS
Returns a pointer to the located character, or a null pointer
if <[c]> does not occur in <[string]>.
PORTABILITY
<<strrchr>> is ANSI C.
<<strrchr>> requires no supporting OS subroutines.
QUICKREF
strrchr ansi pure
*/
#include <string.h>
char *
strrchr (const char *s,
int i)
{
const char *last = NULL;
char c = i;
if (c)
{
while ((s=strchr(s, c)))
{
last = s;
s++;
}
}
else
{
last = strchr(s, c);
}
return (char *) last;
}