Check length before reading in stringmatchlen (#1431)

Fixes four cases where `stringmatchlen` could overrun the pattern if it is not terminated with NUL. These commits are cherry-picked from my [fork](https://github.com/thaliaarchi/antirez-stringmatch) which extracts `stringmatch` as a library and compares it to other projects by antirez which use the same matcher. Signed-off-by: Thalia Archibald <thalia@archibald.dev>
2024-12-13 02:05:19 -08:00 · 2024-12-13 02:05:19 -08:00 · b60097ba07
commit b60097ba07
parent 32f2c73cb5
1 changed files with 5 additions and 5 deletions
--- a/src/util.c
+++ b/src/util.c
@ -104,23 +104,23 @@ static int stringmatchlen_impl(const char *pattern,

            pattern++;
            patternLen--;
-            not_op = pattern[0] == '^';
+            not_op = patternLen && pattern[0] == '^';
            if (not_op) {
                pattern++;
                patternLen--;
            }
            match = 0;
            while (1) {
-                if (pattern[0] == '\\' && patternLen >= 2) {
+                if (patternLen >= 2 && pattern[0] == '\\') {
                    pattern++;
                    patternLen--;
                    if (pattern[0] == string[0]) match = 1;
-                } else if (pattern[0] == ']') {
-                    break;
                } else if (patternLen == 0) {
                    pattern--;
                    patternLen++;
                    break;
+                } else if (pattern[0] == ']') {
+                    break;
                } else if (patternLen >= 3 && pattern[1] == '-') {
                    int start = pattern[0];
                    int end = pattern[2];
@ -173,7 +173,7 @@ static int stringmatchlen_impl(const char *pattern,
        pattern++;
        patternLen--;
        if (stringLen == 0) {
-            while (*pattern == '*') {
+            while (patternLen && *pattern == '*') {
                pattern++;
                patternLen--;
            }