1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-14 10:09:48 +00:00

libc: Fix "harmless" iconv one-byte overread

Checking there are still bytes left must be done before dereferencing
the pointer, not the other way round. This is harmless on traditional
architectures since the result will immediately be thrown away, and all
callers are in separate translation units so there is no potential for
optimising based on this out-of-bounds read. However, on CHERI, pointers
are bounded, and so this will trap if fed a string that does not have a
NUL within the first len bytes.

Found by:	CHERI
Reviewed by:	brooks
This commit is contained in:
Jessica Clarke 2021-12-21 22:47:38 +00:00
parent d074adf18b
commit 6d5297569e

View File

@ -109,7 +109,7 @@ const char *
_citrus_bcs_skip_ws_len(const char * __restrict p, size_t * __restrict len)
{
while (*p && *len > 0 && _bcs_isspace(*p)) {
while (*len > 0 && *p && _bcs_isspace(*p)) {
p++;
(*len)--;
}
@ -124,7 +124,7 @@ const char *
_citrus_bcs_skip_nonws_len(const char * __restrict p, size_t * __restrict len)
{
while (*p && *len > 0 && !_bcs_isspace(*p)) {
while (*len > 0 && *p && !_bcs_isspace(*p)) {
p++;
(*len)--;
}