diff options
author | Matthijs Kooijman <matthijs@stdin.nl> | 2014-03-16 11:26:30 +0100 |
---|---|---|
committer | Matthijs Kooijman <matthijs@stdin.nl> | 2014-09-10 12:33:25 +0200 |
commit | b2729a515607f1b0108d38b816430797f558c57f (patch) | |
tree | f0ad7abb905c7f887082d1f68b3a79b21c6f374b /firmwares/wifishield/wifiHD/src/SOFTWARE_FRAMEWORK/UTILS/PREPROCESSOR/stringz.h | |
parent | dfb0dee773bb7e9f44348ca518292435e9148eba (diff) |
Fix bounds check in String::remove()
Previously, if you passed in a very big index and/or count, the
`index + count` could overflow, making the count be used as-is instead
of being truncated (causing the string to be updated wrongly and
potentially writing to arbitrary memory locations).
We can rewrite the comparison to use `len - index` instead. Since we
know that index < len, we are sure this subtraction does not overflow,
regardless of what values of index and count we pass in.
As an added bonus, the `len - index` value already needed be calculated
inside the if, so this saves a few instructions in the generated code.
To illustrate this problem, consider this code:
String foo = "foo";
Serial.println(foo.length()); // Prints 3
foo.remove(1, 65535); // Should remove all but first character
Serial.println(foo.length()); // Prints 4 without this patch
Not shown in this is example is that some arbitrary memory is written
as well.
Diffstat (limited to 'firmwares/wifishield/wifiHD/src/SOFTWARE_FRAMEWORK/UTILS/PREPROCESSOR/stringz.h')
0 files changed, 0 insertions, 0 deletions