From fde95cf5b5ace06f497842f9329d5207c4834898 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 24 Apr 2014 22:57:27 +0200 Subject: Fix off-by-one in String::substring When checking the `left` argument, it previously allowed having left == len. However, this means the substring starts one past the last character in the string and should return the empty string. In practice, this already worked correctly, because buffer[len] contains the trailing nul, so it would (re)assign the empty string to `out`. However, fixing this check makes it a bit more logical, and prevents a fairly unlikely out-of-buffer write (to address 0x0) when calling substring on an invalidated String: String bar = (char*)NULL; bar.substring(0, 0); --- cores/arduino/WString.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'cores/arduino/WString.cpp') diff --git a/cores/arduino/WString.cpp b/cores/arduino/WString.cpp index f494094..dcd469d 100644 --- a/cores/arduino/WString.cpp +++ b/cores/arduino/WString.cpp @@ -619,7 +619,7 @@ String String::substring(unsigned int left, unsigned int right) const left = temp; } String out; - if (left > len) return out; + if (left >= len) return out; if (right > len) right = len; char temp = buffer[right]; // save the replaced character buffer[right] = '\0'; -- cgit v1.2.3-18-g5258