fix incorrect comparison loop condition in memmem

the logic for this loop was copied from null-terminated-string logic
in strstr without properly adapting it to work with explicit lengths.

presumably this error could result in false negatives (wrongly
comparing past the end of the needle/haystack), false positives
(stopping comparison early when the needle contains null bytes), and
crashes (from runaway reads past the end of mapped memory).

diff --git a/src/string/memmem.c b/src/string/memmem.c
index 3b1ae18316a1d355bc6e2eabb46648060cf7decb..d7e1221940b013810f1e26261357dc2609f2051b 100644 (file)
--- a/src/string/memmem.c
+++ b/src/string/memmem.c
@@ -112,8 +112,8 @@ static char *twoway_memmem(const unsigned char *h, const unsigned char *z, const
                }
 
                /* Compare right half */
-               for (k=MAX(ms+1,mem); n[k] && n[k] == h[k]; k++);
-               if (n[k]) {
+               for (k=MAX(ms+1,mem); k<l && n[k] == h[k]; k++);
+               if (k < l) {
                        h += k-ms;
                        mem = 0;
                        continue;