Prevent buffer overrun during iopBitOr on string args
"foo" | "f" is meant to yield a string of length
max(strlen("foo"), strlen("f")) by bitwise ORing each byte
of one string against the corresponding byte of the other.
When the strings are of differing lengths, however, we get unknown
garbage data from past the end of the buffer. This data is
often '\0', however under memory pressure we can get any
value and the behavior becomes undefined.
Esse commit está contido em:
Sara Golemon
@@ -241,14 +241,17 @@ struct MulEq {
|
||||
|
||||
template<class SzOp, class BitOp>
|
||||
StringData* stringBitOp(BitOp bop, SzOp sop, StringData* s1, StringData* s2) {
|
||||
auto const newLen = sop(s1->size(), s2->size());
|
||||
auto const s1Size = s1->size();
|
||||
auto const s2Size = s2->size();
|
||||
auto const newLen = sop(s1Size, s2Size);
|
||||
auto const newStr = NEW(StringData)(newLen);
|
||||
auto const s1Data = s1->data();
|
||||
auto const s2Data = s2->data();
|
||||
auto const outData = newStr->mutableData();
|
||||
|
||||
for (uint32_t i = 0; i < newLen; ++i) {
|
||||
outData[i] = bop(s1Data[i], s2Data[i]);
|
||||
outData[i] = bop((i < s1Size) ? s1Data[i] : 0,
|
||||
(i < s2Size) ? s2Data[i] : 0);
|
||||
}
|
||||
newStr->setSize(newLen);
|
||||
|
||||
|
||||
Referência em uma Nova Issue
Bloquear um usuário