Due to incorrect unit test design, two overread conditions went
undetected in the amd64 baseline stpncpy() implementation.
For buffers of 1--16 and 32 bytes that do not contain nul bytes
and end exactly at a page boundary, the code would incorrectly
read 16 bytes from the next page, possibly crossing into an
unmapped page and crashing the program. If the next page was
mapped, the code would then proceed with the expected behaviour
of the stpncpy() function.
Three changes were made to fix the bug:
- an off-by-one error is fixed in the code deciding whether to enter the runt case or not, entering it for 0<n<=32 bytes instead of 0<n<32 bytes as it was before.
- in the runt case, the logic to skip reading a second 16-byte chunk if the buffer ends in the first chunk was fixed to account for buffers that end at a 16-byte boundary but do not hold a nul byte.
- in the runt case, the logic to transform the location of the end of the input buffer into a bit mask was fixed to allow the case of n==32, which was previously impossible due to the incorrect logic for entering said case.
The performance impact should be minimal.
PR: 291359
See also: D54169
Reported by: Collin Funk <collin.funk1@gmail.com>
MFC after: 1 week