Check length before reading in stringmatchlen

When a pattern is not NUL-terminated, stringmatchlen could overrun the end in some cases. Signed-off-by: Thalia Archibald <[email protected]>
valkey-io · Dec 12, 2024 · 44940a5 · 44940a5
1 parent 5f7fe9e
commit 44940a5
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/src/util.c b/src/util.c
@@ -104,23 +104,23 @@ static int stringmatchlen_impl(const char *pattern,
 
             pattern++;
             patternLen--;
-            not_op = pattern[0] == '^';
+            not_op = patternLen && pattern[0] == '^';
             if (not_op) {
                 pattern++;
                 patternLen--;
             }
             match = 0;
             while (1) {
-                if (pattern[0] == '\\' && patternLen >= 2) {
+                if (patternLen >= 2 && pattern[0] == '\\') {
                     pattern++;
                     patternLen--;
                     if (pattern[0] == string[0]) match = 1;
-                } else if (pattern[0] == ']') {
-                    break;
                 } else if (patternLen == 0) {
                     pattern--;
                     patternLen++;
                     break;
+                } else if (pattern[0] == ']') {
+                    break;
                 } else if (patternLen >= 3 && pattern[1] == '-') {
                     int start = pattern[0];
                     int end = pattern[2];
@@ -173,7 +173,7 @@ static int stringmatchlen_impl(const char *pattern,
         pattern++;
         patternLen--;
         if (stringLen == 0) {
-            while (*pattern == '*') {
+            while (patternLen && *pattern == '*') {
                 pattern++;
                 patternLen--;
             }