LibCore: Fix OOB read in Stream::BufferedSeekable::read_until_any_of

If we do not decrement `m_buffered_size` whenever we read data from the buffer, we end up saying that there are more lines available when we reach the end of file. This bug caused callers to read garbage data. This also fixes an incorrect condition in an if statement. The separator candidate is searched for in `remaining_buffer`, so the separator's length should be compared against that.
2025-07-25 15:47:44 +00:00 · 2021-12-31 21:04:56 +01:00 · 2021-12-31 21:04:56 +01:00 · 7fdf4004de
commit 7fdf4004de
parent 22c27e1ba9
1 changed files with 5 additions and 1 deletions
--- a/Userland/Libraries/LibCore/Stream.h
+++ b/Userland/Libraries/LibCore/Stream.h
@ -627,7 +627,7 @@ public:
            // user buffer.
            StringView remaining_buffer { m_buffer.span().offset(offset), maximum_offset - offset };
            for (auto candidate : candidates) {
-                if (candidate.length() > offset)
+                if (candidate.length() > remaining_buffer.length())
                    continue;
                if (remaining_buffer.starts_with(candidate))
                    longest_match = max(longest_match, candidate.length());
@ -640,6 +640,8 @@ public:
                buffer_to_take.copy_to(buffer);
                m_buffer.overwrite(0, buffer_to_shift.data(), buffer_to_shift.size());

+                m_buffered_size -= offset + longest_match;
+
                return offset;
            }
        }
@ -654,6 +656,8 @@ public:
        buffer_to_take.copy_to(buffer);
        m_buffer.overwrite(0, buffer_to_shift.data(), buffer_to_shift.size());

+        m_buffered_size -= readable_size;
+
        return readable_size;
    }