Avoid copying past end of buffer in String.concat (#8198)

paulocsanz · web-flow · commit 2946ce055c14 · 2021-07-08T16:35:09.000-07:00
diff --git a/cores/esp8266/WString.cpp b/cores/esp8266/WString.cpp
@@ -305,7 +305,7 @@ bool String::concat(const char *cstr, unsigned int length) {
         return true;
     if (!reserve(newlen))
         return false;
-    memmove_P(wbuffer() + len(), cstr, length + 1);
+    memmove_P(wbuffer() + len(), cstr, length);
     setLen(newlen);
     wbuffer()[newlen] = 0;
     return true;
diff --git a/tests/host/core/test_string.cpp b/tests/host/core/test_string.cpp
@@ -594,3 +594,13 @@ TEST_CASE("String chaining", "[core][String]")
     REQUIRE(static_cast<const void*>(result.c_str()) == static_cast<const void*>(ptr));
   }
 }
+
+TEST_CASE("String concat OOB #8198", "[core][String]")
+{
+    char *p = (char*)malloc(16);
+    memset(p, 'x', 16);
+    String s = "abcd";
+    s.concat(p, 16);
+    REQUIRE(!strcmp(s.c_str(), "abcdxxxxxxxxxxxxxxxx"));
+    free(p);
+}

Original file line number	Diff line number	Diff line change
`@@ -594,3 +594,13 @@ TEST_CASE("String chaining", "[core][String]")`
`594`	`594`	`REQUIRE(static_cast<const void>(result.c_str()) == static_cast<const void>(ptr));`
`595`	`595`	`}`
`596`	`596`	`}`
	`597`	`+`
	`598`	`+TEST_CASE("String concat OOB #8198", "[core][String]")`
	`599`	`+{`
	`600`	`+ char p = (char)malloc(16);`
	`601`	`+ memset(p, 'x', 16);`
	`602`	`+ String s = "abcd";`
	`603`	`+ s.concat(p, 16);`
	`604`	`+ REQUIRE(!strcmp(s.c_str(), "abcdxxxxxxxxxxxxxxxx"));`
	`605`	`+ free(p);`
	`606`	`+}`