scan-build: memarea_strndup() undefined behavior

The memarea_strndup() function would have hit undefined behavior by
creating an 'end' pointer off the end of a string if it had ever been
given an 'n' argument bigger than the length of the memory ares that
it's scanning.  Fortunately, we never did that except in the unit
tests.  But it's not a safe behavior to leave lying around.

diff --git a/src/common/memarea.c b/src/common/memarea.c
index e2d07fca9e5741e131a290d147bbb47aeff86029..bcaea0949ebe13a2ffb648b907ef8e97f367ab23 100644 (file)
--- a/src/common/memarea.c
+++ b/src/common/memarea.c
@@ -291,14 +291,11 @@ memarea_strdup(memarea_t *area, const char *s)
 char *
 memarea_strndup(memarea_t *area, const char *s, size_t n)
 {
-  size_t ln;
+  size_t ln = 0;
   char *result;
-  const char *cp, *end = s+n;
   tor_assert(n < SIZE_T_CEILING);
-  for (cp = s; cp < end && *cp; ++cp)
+  for (ln = 0; ln < n && s[ln]; ++ln)
     ;
-  /* cp now points to s+n, or to the 0 in the string. */
-  ln = cp-s;
   result = memarea_alloc(area, ln+1);
   memcpy(result, s, ln);
   result[ln]='\0';