From: Tom Hughes <tom@compton.nu>
Date: Tue, 14 Nov 2017 09:16:26 +0000 (+0000)
Subject: Avoid underflow in strlcpy and strlcat wrappers when count is zero
X-Git-Tag: VALGRIND_3_14_0~202
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a5af4146e383dd442130905901b046e2cb4b0ed4;p=thirdparty%2Fvalgrind.git

Avoid underflow in strlcpy and strlcat wrappers when count is zero

We can't decrement n because it's unsigned and might be zero which
means it would wrap and we'd wind up reading far too much.

Fixes BZ#208052
---

diff --git a/shared/vg_replace_strmem.c b/shared/vg_replace_strmem.c
index 71c7e568c1..6c946ce44f 100644
--- a/shared/vg_replace_strmem.c
+++ b/shared/vg_replace_strmem.c
@@ -377,7 +377,7 @@ static inline void my_exit ( int x )
       while (m < n && *dst) { m++; dst++; } \
       if (m < n) { \
          /* Fill as far as dst_orig[n-2], then nul-terminate. */ \
-         while (m < n-1 && *src) { m++; *dst++ = *src++; } \
+         while (m+1 < n && *src) { m++; *dst++ = *src++; } \
          *dst = 0; \
       } else { \
          /* No space to copy anything to dst. m == n */ \
@@ -580,7 +580,7 @@ static inline void my_exit ( int x )
       \
       STRLCPY_CHECK_FOR_DSTSIZE_ZERO \
       \
-      while (m < n-1 && *src) { m++; *dst++ = *src++; } \
+      while (m+1 < n && *src) { m++; *dst++ = *src++; } \
       /* m non-nul bytes have now been copied, and m <= n-1. */ \
       /* Check for overlap after copying; all n bytes of dst are relevant, */ \
       /* but only m+1 bytes of src if terminator was found */ \