From ea9a24e76d4bc273b29bce04749846cc4bc8c733 Mon Sep 17 00:00:00 2001 From: s-hadinger <49731213+s-hadinger@users.noreply.github.com> Date: Sat, 31 May 2025 20:02:40 +0200 Subject: [PATCH] Berry fix potential pointer underflow with `string.endswith` (#23496) --- CHANGELOG.md | 1 + lib/libesp32/berry/src/be_strlib.c | 19 +++++++++++-------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f39431253..b98937b8a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ All notable changes to this project will be documented in this file. - DNS setting with `IPAddress4/5` not persisted (#23426) - Berry avoid json parsing for unmatched commands - Berry fix integer and real parser to handle overflows +- Berry fix potential pointer underflow with `string.endswith` ### Removed diff --git a/lib/libesp32/berry/src/be_strlib.c b/lib/libesp32/berry/src/be_strlib.c index bd4198e03..81dc1b0e1 100644 --- a/lib/libesp32/berry/src/be_strlib.c +++ b/lib/libesp32/berry/src/be_strlib.c @@ -1074,14 +1074,17 @@ static int str_endswith(bvm *vm) bbool result = bfalse; const char *s = be_tostring(vm, 1); const char *p = be_tostring(vm, 2); - size_t len = (size_t)be_strlen(vm, 2); - if (case_insensitive) { - if (str_strncasecmp(s + (int)strlen(s) - (int)len, p, len) == 0) { - result = btrue; - } - } else { - if (strncmp(s + (int)strlen(s) - (int)len, p, len) == 0) { - result = btrue; + size_t len_s = (size_t)be_strlen(vm, 1); + size_t len_p = (size_t)be_strlen(vm, 2); + if (len_s >= len_p) { + if (case_insensitive) { + if (str_strncasecmp(s + (int)len_s - (int)len_p, p, len_p) == 0) { + result = btrue; + } + } else { + if (strncmp(s + (int)len_s - (int)len_p, p, len_p) == 0) { + result = btrue; + } } } be_pushbool(vm, result);