From: Rich Felker <dalias@aerifal.cx>
Date: Thu, 19 Jun 2014 04:42:28 +0000 (-0400)
Subject: fix incorrect comparison loop condition in memmem
X-Git-Tag: v1.1.3~23
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=cef0f289f666b6c963bfd11537a6d80916ff889e;p=oweals%2Fmusl.git

fix incorrect comparison loop condition in memmem

the logic for this loop was copied from null-terminated-string logic
in strstr without properly adapting it to work with explicit lengths.

presumably this error could result in false negatives (wrongly
comparing past the end of the needle/haystack), false positives
(stopping comparison early when the needle contains null bytes), and
crashes (from runaway reads past the end of mapped memory).
---

diff --git a/src/string/memmem.c b/src/string/memmem.c
index 3b1ae183..d7e12219 100644
--- a/src/string/memmem.c
+++ b/src/string/memmem.c
@@ -112,8 +112,8 @@ static char *twoway_memmem(const unsigned char *h, const unsigned char *z, const
 		}
 
 		/* Compare right half */
-		for (k=MAX(ms+1,mem); n[k] && n[k] == h[k]; k++);
-		if (n[k]) {
+		for (k=MAX(ms+1,mem); k<l && n[k] == h[k]; k++);
+		if (k < l) {
 			h += k-ms;
 			mem = 0;
 			continue;