mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-14 10:09:48 +00:00
libc: Fix "harmless" iconv one-byte overread
Checking there are still bytes left must be done before dereferencing the pointer, not the other way round. This is harmless on traditional architectures since the result will immediately be thrown away, and all callers are in separate translation units so there is no potential for optimising based on this out-of-bounds read. However, on CHERI, pointers are bounded, and so this will trap if fed a string that does not have a NUL within the first len bytes. Found by: CHERI Reviewed by: brooks
This commit is contained in:
parent
d074adf18b
commit
6d5297569e
@ -109,7 +109,7 @@ const char *
|
||||
_citrus_bcs_skip_ws_len(const char * __restrict p, size_t * __restrict len)
|
||||
{
|
||||
|
||||
while (*p && *len > 0 && _bcs_isspace(*p)) {
|
||||
while (*len > 0 && *p && _bcs_isspace(*p)) {
|
||||
p++;
|
||||
(*len)--;
|
||||
}
|
||||
@ -124,7 +124,7 @@ const char *
|
||||
_citrus_bcs_skip_nonws_len(const char * __restrict p, size_t * __restrict len)
|
||||
{
|
||||
|
||||
while (*p && *len > 0 && !_bcs_isspace(*p)) {
|
||||
while (*len > 0 && *p && !_bcs_isspace(*p)) {
|
||||
p++;
|
||||
(*len)--;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user