FORTIFY_SOURCE: fortify strrchr

This change compliments 049e58369c37fdeacd0380a6bf1e078d9baf819f Change-Id: I27d015d70a520713c7472558a3c427f546d36ee4
2012-12-03 10:36:13 -08:00 · 2012-12-03 10:36:13 -08:00 · 9a4d305340
commit 9a4d305340
parent 60fb68338b
2 changed files with 30 additions and 2 deletions
--- a/libc/include/string.h
+++ b/libc/include/string.h
@ -240,6 +240,22 @@ char* strchr(const char *s, int c) {
    return __strchr_chk(s, c, bos);
 }

+__purefunc extern char* __strrchr_real(const char *, int)
+    __asm__(__USER_LABEL_PREFIX__ "strrchr");
+extern char* __strrchr_chk(const char *, int, size_t);
+
+__BIONIC_FORTIFY_INLINE
+char* strrchr(const char *s, int c) {
+    size_t bos = __builtin_object_size(s, 0);
+
+    // Compiler doesn't know destination size. Don't call __strrchr_chk
+    if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+        return __strrchr_real(s, c);
+    }
+
+    return __strrchr_chk(s, c, bos);
+}
+

 #endif /* defined(__BIONIC_FORTIFY_INLINE) */

--- a/libc/string/strrchr.c
+++ b/libc/string/strrchr.c
@ -29,13 +29,19 @@
 */

 #include <string.h>
+#include <private/logd.h>

 char *
-strrchr(const char *p, int ch)
+__strrchr_chk(const char *p, int ch, size_t s_len)
 {
 	char *save;

-	for (save = NULL;; ++p) {
+	for (save = NULL;; ++p, s_len--) {
+		if (s_len == 0) {
+			__libc_android_log_print(ANDROID_LOG_FATAL, "libc",
+				"*** FORTIFY_SOURCE strrchr read beyond buffer ***\n");
+			abort();
+		}
 		if (*p == (char) ch)
 			save = (char *)p;
 		if (!*p)
@ -43,3 +49,9 @@ strrchr(const char *p, int ch)
 	}
 	/* NOTREACHED */
 }
+
+char *
+strrchr(const char *p, int ch)
+{
+	return __strrchr_chk(p, ch, (size_t) -1);
+}