From 4da7282a1882fc03c99591c27d44a2e6dfda364b Mon Sep 17 00:00:00 2001 From: Robert Clausecker Date: Wed, 12 Jul 2023 20:23:21 +0200 Subject: [PATCH] lib/libc/string/bcmp.c: fix integer overflow bug bcmp() returned the number of remaining bytes when the main loop exits. In case of a match, this is zero, else a positive integer. On systems where SIZE_MAX > INT_MAX, the implicit conversion from size_t to int in the return value may cause the number of remaining bytes to overflow, becoming zero and falsely indicating a successful comparison. Fix the bug by always returning 0 on equality, 1 otherwise. PR: 272474 Approved by: emaste Reviewed by: imp MFC After: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41011 --- lib/libc/string/bcmp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libc/string/bcmp.c b/lib/libc/string/bcmp.c index 96cd49039ee..c42fe79ddb2 100644 --- a/lib/libc/string/bcmp.c +++ b/lib/libc/string/bcmp.c @@ -51,7 +51,7 @@ bcmp(const void *b1, const void *b2, size_t length) p2 = (char *)b2; do if (*p1++ != *p2++) - break; + return (1); while (--length); - return (length); + return (0); }