From: José Fonseca <jose.r.fonseca@gmail.com>
Date: Fri, 2 Mar 2012 11:11:58 +0000 (+0000)
Subject: Prevent buffer overflow in os::String::rfindSep().
X-Git-Url: https://git.cworth.org/git?a=commitdiff_plain;h=380cee71f41ef06022025d1819dec8e635967df8;p=apitrace

Prevent buffer overflow in os::String::rfindSep().
---

diff --git a/common/os_string.hpp b/common/os_string.hpp
index 29ae5cf..a277707 100644
--- a/common/os_string.hpp
+++ b/common/os_string.hpp
@@ -93,12 +93,19 @@ protected:
 
     Buffer::iterator rfind(char c) {
         Buffer::iterator it = buffer.end();
+
+        // Skip trailing '\0'
+        assert(it != buffer.begin());
+        --it;
+        assert(*it == '\0');
+
         while (it != buffer.begin()) {
             --it;
             if (*it == c) {
                 return it;
             }
         }
+
         return buffer.end();
     }
 
@@ -126,17 +133,30 @@ protected:
     Buffer::iterator rfindSep(void) {
         Buffer::iterator it = buffer.end();
 
+        // Skip trailing '\0'
+        assert(it != buffer.begin());
+        --it;
+        assert(*it == '\0');
+
         // Skip trailing separators
-        while (it != buffer.begin() && isSep(*it)) {
+        while (it != buffer.begin()) {
             --it;
+            if (isSep(*it)) {
+                // Halt if find the root
+                if (it == buffer.begin()) {
+                    return it;
+                }
+            } else {
+                break;
+            }
         }
 
         // Advance to the last separator
         while (it != buffer.begin()) {
+            --it;
             if (isSep(*it)) {
                 return it;
             }
-            --it;
         }
 
         return buffer.end();