From e585ed48b0b3e89a8bb4a805b568b7627c42c72b Mon Sep 17 00:00:00 2001 From: Sergey Bugaev Date: Thu, 13 Jun 2019 16:27:29 +0300 Subject: [PATCH] AK: Fix String::matches() with non-null-terminated StringViews. StringView character buffer is not guaranteed to be null-terminated; in particular it will not be null-terminated when making a substring. This means it is not correct to check whether we've reached the end of a StringView by comparing the next character to null; instead, we need to do an explicit length (or pointer) comparison. --- AK/String.cpp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/AK/String.cpp b/AK/String.cpp index 974f2dba1b1..e2d5f3d2c49 100644 --- a/AK/String.cpp +++ b/AK/String.cpp @@ -230,9 +230,10 @@ bool String::match_helper(const StringView& mask) const const char* string_ptr = characters(); const char* mask_ptr = mask.characters(); + const char* mask_end = mask_ptr + mask.length(); // Match string against mask directly unless we hit a * - while ((*string_ptr) && (*mask_ptr != '*')) { + while ((*string_ptr) && (mask_ptr < mask_end) && (*mask_ptr != '*')) { if ((*mask_ptr != *string_ptr) && (*mask_ptr != '?')) return false; mask_ptr++; @@ -243,13 +244,13 @@ bool String::match_helper(const StringView& mask) const const char* mp = nullptr; while (*string_ptr) { - if (*mask_ptr == '*') { + if ((mask_ptr < mask_end) && (*mask_ptr == '*')) { // If we have only a * left, there is no way to not match. - if (!*++mask_ptr) + if (++mask_ptr == mask_end) return true; mp = mask_ptr; cp = string_ptr + 1; - } else if ((*mask_ptr == *string_ptr) || (*mask_ptr == '?')) { + } else if ((mask_ptr < mask_end) && ((*mask_ptr == *string_ptr) || (*mask_ptr == '?'))) { mask_ptr++; string_ptr++; } else { @@ -259,11 +260,11 @@ bool String::match_helper(const StringView& mask) const } // Handle any trailing mask - while (*mask_ptr == '*') + while ((mask_ptr < mask_end) && (*mask_ptr == '*')) mask_ptr++; // If we 'ate' all of the mask then we match. - return !*mask_ptr; + return mask_ptr == mask_end; } }