From: Willy Tarreau <w@1wt.eu>
Date: Sun, 26 Apr 2026 21:00:38 +0000 (+0200)
Subject: BUG/MINOR: tools: my_memspn/my_memcspn wrong cast causing incorrect byte reading
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=84cb8dd1263c8c5fe1a4f82a8fbb858f9493c88e;p=thirdparty%2Fhaproxy.git

BUG/MINOR: tools: my_memspn/my_memcspn wrong cast causing incorrect byte reading

Both functions cast void * to int * and dereference, reading 4 bytes as an
integer instead of a single byte. This is passed to memchr() which expects a
byte value. On unaligned addresses this causes crashes on ARM/mips etc, and
search for the wrong byte on big endian platforms. Fixed to cast to
const unsigned char * and dereference a single byte. This is marked as
minor because these functions were added in 2.2 by commit 5eb96cbcbc
("MINOR: standard: Add my_memspn and my_memcspn") and have not been used
since then.
---

diff --git a/src/tools.c b/src/tools.c
index f5b14d75a..7a48969ec 100644
--- a/src/tools.c
+++ b/src/tools.c
@@ -3070,7 +3070,7 @@ size_t my_memspn(const void *str, size_t len, const void *accept, size_t acceptl
 {
 	size_t ret = 0;
 
-	while (ret < len && memchr(accept, *((int *)str), acceptlen)) {
+	while (ret < len && memchr(accept, *((const unsigned char *)str), acceptlen)) {
 		str++;
 		ret++;
 	}
@@ -3083,7 +3083,7 @@ size_t my_memcspn(const void *str, size_t len, const void *reject, size_t reject
 	size_t ret = 0;
 
 	while (ret < len) {
-		if(memchr(reject, *((int *)str), rejectlen))
+		if (memchr(reject, *((const unsigned char *)str), rejectlen))
 			return ret;
 		str++;
 		ret++;