From 7fdf4004de79486d475b270f08b64ea08867d3a4 Mon Sep 17 00:00:00 2001 From: Daniel Bertalan Date: Fri, 31 Dec 2021 21:04:56 +0100 Subject: [PATCH] LibCore: Fix OOB read in Stream::BufferedSeekable::read_until_any_of If we do not decrement `m_buffered_size` whenever we read data from the buffer, we end up saying that there are more lines available when we reach the end of file. This bug caused callers to read garbage data. This also fixes an incorrect condition in an if statement. The separator candidate is searched for in `remaining_buffer`, so the separator's length should be compared against that. --- Userland/Libraries/LibCore/Stream.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Userland/Libraries/LibCore/Stream.h b/Userland/Libraries/LibCore/Stream.h index b024bebbb6..af688570f6 100644 --- a/Userland/Libraries/LibCore/Stream.h +++ b/Userland/Libraries/LibCore/Stream.h @@ -627,7 +627,7 @@ public: // user buffer. StringView remaining_buffer { m_buffer.span().offset(offset), maximum_offset - offset }; for (auto candidate : candidates) { - if (candidate.length() > offset) + if (candidate.length() > remaining_buffer.length()) continue; if (remaining_buffer.starts_with(candidate)) longest_match = max(longest_match, candidate.length()); @@ -640,6 +640,8 @@ public: buffer_to_take.copy_to(buffer); m_buffer.overwrite(0, buffer_to_shift.data(), buffer_to_shift.size()); + m_buffered_size -= offset + longest_match; + return offset; } } @@ -654,6 +656,8 @@ public: buffer_to_take.copy_to(buffer); m_buffer.overwrite(0, buffer_to_shift.data(), buffer_to_shift.size()); + m_buffered_size -= readable_size; + return readable_size; }