string: Fix buffer overrun in picolibc/newlib/libc/string/strrchr.c (#184)

Reported by prodisDown:

	In picolibc/newlib/libc/string/strrchr.c

	if (i) { while ((s=strchr(s, i))) { last = s; s++; } } else { last = strchr(s, i); }

	Value (for example 0xFFFFFF00) in if (i) can pass test and
	then be typecasted to char inside strchr(). Then s++ and then
	buffer overrun.

	It can be fixed by preventive typecast i = (int) (char) i; or
	typecasting inside expression if ((char) i).

Fixed by casting to char.

Signed-off-by: Keith Packard <keithp@keithp.com>

diff --git a/newlib/libc/string/strrchr.c b/newlib/libc/string/strrchr.c
index 04897e162a21ae9eb3cc731bb738fbf21f03604d..35a7060d2ab77c2ac6b3671b34682ad0ba0d0d26 100644 (file)
--- a/newlib/libc/string/strrchr.c
+++ b/newlib/libc/string/strrchr.c
@@ -34,10 +34,11 @@ strrchr (const char *s,
        int i)
 {
   const char *last = NULL;
+  char c = i;
 
-  if (i)
+  if (c)
     {
-      while ((s=strchr(s, i)))
+      while ((s=strchr(s, c)))
        {
          last = s;
          s++;
@@ -45,8 +46,8 @@ strrchr (const char *s,
     }
   else
     {
-      last = strchr(s, i);
+      last = strchr(s, c);
     }
-                 
+
   return (char *) last;
 }