From 752c684c5bc571b061913a1f64250f916ed5dfe9 Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@keithp.com>
Date: Mon, 11 Oct 2021 09:24:54 -0700
Subject: [PATCH] string: Fix buffer overrun in
 picolibc/newlib/libc/string/strrchr.c (#184)

Reported by prodisDown:

	In picolibc/newlib/libc/string/strrchr.c

	if (i) { while ((s=strchr(s, i))) { last = s; s++; } } else { last = strchr(s, i); }

	Value (for example 0xFFFFFF00) in if (i) can pass test and
	then be typecasted to char inside strchr(). Then s++ and then
	buffer overrun.

	It can be fixed by preventive typecast i = (int) (char) i; or
	typecasting inside expression if ((char) i).

Fixed by casting to char.

Signed-off-by: Keith Packard <keithp@keithp.com>
---
 newlib/libc/string/strrchr.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/newlib/libc/string/strrchr.c b/newlib/libc/string/strrchr.c
index 95662e35e..c4638fede 100644
--- a/newlib/libc/string/strrchr.c
+++ b/newlib/libc/string/strrchr.c
@@ -50,10 +50,11 @@ strrchr (const char *s,
 	int i)
 {
   const char *last = NULL;
+  char c = i;
 
-  if (i)
+  if (c)
     {
-      while ((s=strchr(s, i)))
+      while ((s=strchr(s, c)))
 	{
 	  last = s;
 	  s++;
@@ -61,8 +62,8 @@ strrchr (const char *s,
     }
   else
     {
-      last = strchr(s, i);
+      last = strchr(s, c);
     }
-		  
+
   return (char *) last;
 }
-- 
2.33.0