From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jjohnstn@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2134)
 id 800343858403; Wed, 13 Oct 2021 20:40:09 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 800343858403
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Jeff Johnston <jjohnstn@sourceware.org>
To: newlib-cvs@sourceware.org
Subject: [newlib-cygwin] string: Fix buffer overrun in
 picolibc/newlib/libc/string/strrchr.c (#184)
X-Act-Checkin: newlib-cygwin
X-Git-Author: Keith Packard <keithp@keithp.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: dcd564f65caa96a9dc5c0d17020b9674a1a36e32
X-Git-Newrev: c51f05c59799fd03b15874a9608e613315dcb11c
Message-Id: <20211013204009.800343858403@sourceware.org>
Date: Wed, 13 Oct 2021 20:40:09 +0000 (GMT)
X-BeenThere: newlib-cvs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Newlib GIT logs <newlib-cvs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/newlib-cvs>,
 <mailto:newlib-cvs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/newlib-cvs/>
List-Help: <mailto:newlib-cvs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/newlib-cvs>,
 <mailto:newlib-cvs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 20:40:09 -0000

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=c51f05c59799fd03b15874a9608e613315dcb11c

commit c51f05c59799fd03b15874a9608e613315dcb11c
Author: Keith Packard <keithp@keithp.com>
Date:   Mon Oct 11 09:24:54 2021 -0700

    string: Fix buffer overrun in picolibc/newlib/libc/string/strrchr.c (#184)
    
    Reported by prodisDown:
    
            In picolibc/newlib/libc/string/strrchr.c
    
            if (i) { while ((s=strchr(s, i))) { last = s; s++; } } else { last = strchr(s, i); }
    
            Value (for example 0xFFFFFF00) in if (i) can pass test and
            then be typecasted to char inside strchr(). Then s++ and then
            buffer overrun.
    
            It can be fixed by preventive typecast i = (int) (char) i; or
            typecasting inside expression if ((char) i).
    
    Fixed by casting to char.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>

Diff:
---
 newlib/libc/string/strrchr.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/newlib/libc/string/strrchr.c b/newlib/libc/string/strrchr.c
index 04897e162..35a7060d2 100644
--- a/newlib/libc/string/strrchr.c
+++ b/newlib/libc/string/strrchr.c
@@ -34,10 +34,11 @@ strrchr (const char *s,
 	int i)
 {
   const char *last = NULL;
+  char c = i;
 
-  if (i)
+  if (c)
     {
-      while ((s=strchr(s, i)))
+      while ((s=strchr(s, c)))
 	{
 	  last = s;
 	  s++;
@@ -45,8 +46,8 @@ strrchr (const char *s,
     }
   else
     {
-      last = strchr(s, i);
+      last = strchr(s, c);
     }
-		  
+
   return (char *) last;
 }