From owner-svn-src-head@freebsd.org  Mon Oct 15 20:20:58 2018
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB7AD10C8138;
 Mon, 15 Oct 2018 20:20:58 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 612088374B;
 Mon, 15 Oct 2018 20:20:58 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5BDAB1203B;
 Mon, 15 Oct 2018 20:20:58 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w9FKKwps072718;
 Mon, 15 Oct 2018 20:20:58 GMT (envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w9FKKwbL072717;
 Mon, 15 Oct 2018 20:20:58 GMT (envelope-from glebius@FreeBSD.org)
Message-Id: <201810152020.w9FKKwbL072717@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: glebius set sender to
 glebius@FreeBSD.org using -f
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Mon, 15 Oct 2018 20:20:58 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r339370 - head/lib/libc/string
X-SVN-Group: head
X-SVN-Commit-Author: glebius
X-SVN-Commit-Paths: head/lib/libc/string
X-SVN-Commit-Revision: 339370
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Oct 2018 20:20:58 -0000

Author: glebius
Date: Mon Oct 15 20:20:57 2018
New Revision: 339370
URL: https://svnweb.freebsd.org/changeset/base/339370

Log:
  Avoid OOB reads in memmem(3).
  
  commit 51bdcdc424bd7169c8cccdc2de7cad17f5ea0f70
  Author: Alexander Monakov <amonakov@ispras.ru>
  Date:   Fri Jun 30 00:35:33 2017 +0300
  
      fix OOB reads in Xbyte_memmem
  
      Reported by Leah Neukirchen.
  
  Reviewed by:	emaste
  Approved by:	re (kib)

Modified:
  head/lib/libc/string/memmem.c

Modified: head/lib/libc/string/memmem.c
==============================================================================
--- head/lib/libc/string/memmem.c	Mon Oct 15 20:11:53 2018	(r339369)
+++ head/lib/libc/string/memmem.c	Mon Oct 15 20:20:57 2018	(r339370)
@@ -31,27 +31,27 @@ __FBSDID("$FreeBSD$");
 static char *twobyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
 {
 	uint16_t nw = n[0]<<8 | n[1], hw = h[0]<<8 | h[1];
-	for (h++, k--; k; k--, hw = hw<<8 | *++h)
-		if (hw == nw) return (char *)h-1;
-	return 0;
+	for (h+=2, k-=2; k; k--, hw = hw<<8 | *h++)
+		if (hw == nw) return (char *)h-2;
+	return hw == nw ? (char *)h-2 : 0;
 }
 
 static char *threebyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
 {
 	uint32_t nw = n[0]<<24 | n[1]<<16 | n[2]<<8;
 	uint32_t hw = h[0]<<24 | h[1]<<16 | h[2]<<8;
-	for (h+=2, k-=2; k; k--, hw = (hw|*++h)<<8)
-		if (hw == nw) return (char *)h-2;
-	return 0;
+	for (h+=3, k-=3; k; k--, hw = (hw|*h++)<<8)
+		if (hw == nw) return (char *)h-3;
+	return hw == nw ? (char *)h-3 : 0;
 }
 
 static char *fourbyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
 {
 	uint32_t nw = n[0]<<24 | n[1]<<16 | n[2]<<8 | n[3];
 	uint32_t hw = h[0]<<24 | h[1]<<16 | h[2]<<8 | h[3];
-	for (h+=3, k-=3; k; k--, hw = hw<<8 | *++h)
-		if (hw == nw) return (char *)h-3;
-	return 0;
+	for (h+=4, k-=4; k; k--, hw = hw<<8 | *h++)
+		if (hw == nw) return (char *)h-4;
+	return hw == nw ? (char *)h-4 : 0;
 }
 
 #define MAX(a,b) ((a)>(b)?(a):(b))