string: Fix buffer overrun in picolibc/newlib/libc/string/strrchr.c (#184)

Reported by prodisDown: In picolibc/newlib/libc/string/strrchr.c if (i) { while ((s=strchr(s, i))) { last = s; s++; } } else { last = strchr(s, i); } Value (for example 0xFFFFFF00) in if (i) can pass test and then be typecasted to char inside strchr(). Then s++ and then buffer overrun. It can be fixed by preventive typecast i = (int) (char) i; or typecasting inside expression if ((char) i). Fixed by casting to char. Signed-off-by: Keith Packard <keithp@keithp.com>
author: Keith Packard <keithp@keithp.com> 2021-10-11 19:24:54 +0300
committer: Jeff Johnston <jjohnstn@redhat.com> 2021-10-13 23:39:49 +0300
commit: c51f05c59799fd03b15874a9608e613315dcb11c (patch)
tree: 68f431702b12ce8441ba72c485dc1a6dbb506122 /newlib/libc/string
parent: dcd564f65caa96a9dc5c0d17020b9674a1a36e32 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/newlib/libc/string/strrchr.c b/newlib/libc/string/strrchr.c
index 04897e162..35a7060d2 100644
--- a/newlib/libc/string/strrchr.c
+++ b/newlib/libc/string/strrchr.c
@@ -34,10 +34,11 @@ strrchr (const char *s,
 	int i)
 {
   const char *last = NULL;
+  char c = i;
 
-  if (i)
+  if (c)
     {
-      while ((s=strchr(s, i)))
+      while ((s=strchr(s, c)))
 	{
 	  last = s;
 	  s++;
@@ -45,8 +46,8 @@ strrchr (const char *s,
     }
   else
     {
-      last = strchr(s, i);
+      last = strchr(s, c);
     }
-		  
+
   return (char *) last;
 }
author	Keith Packard <keithp@keithp.com>	2021-10-11 19:24:54 +0300
committer	Jeff Johnston <jjohnstn@redhat.com>	2021-10-13 23:39:49 +0300
commit	c51f05c59799fd03b15874a9608e613315dcb11c (patch)
tree	68f431702b12ce8441ba72c485dc1a6dbb506122 /newlib/libc/string
parent	dcd564f65caa96a9dc5c0d17020b9674a1a36e32 (diff)