From 60b9cf50c8adac736494043f6e2d0c153c0897b8 Mon Sep 17 00:00:00 2001 From: George Burgess IV Date: Wed, 26 Nov 2025 11:16:53 -0700 Subject: [PATCH] fix out-of-bounds read in `find.cc` libcxx hardening was breaking in kati's tests, since `TrimLeftSpace(cur_)` may return an empty string_view, and we're unconditionally accessing `[0]` after that. It looks like the code that follows the `while` loop gracefully handles empty strings, so add a simple check for `empty()` that falls through to that. Test: Android: `prebuilts/build-tools/build-prebuilts.sh` now passes --- src/find.cc | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/src/find.cc b/src/find.cc index 0a435278..21fd63cd 100644 --- a/src/find.cc +++ b/src/find.cc @@ -661,24 +661,26 @@ class FindCommandParser { cur_ = TrimLeftSpace(cur_); - if (cur_[0] == ';') { - *tok = cur_.substr(0, 1); - cur_ = cur_.substr(1); - return true; - } - if (cur_[0] == '&') { - if (cur_.size() < 2 || cur_[1] != '&') { - return false; + size_t i = 0; + if (!cur_.empty()) { + if (cur_[0] == ';') { + *tok = cur_.substr(0, 1); + cur_ = cur_.substr(1); + return true; + } + if (cur_[0] == '&') { + if (cur_.size() < 2 || cur_[1] != '&') { + return false; + } + *tok = cur_.substr(0, 2); + cur_ = cur_.substr(2); + return true; } - *tok = cur_.substr(0, 2); - cur_ = cur_.substr(2); - return true; - } - size_t i = 0; - while (i < cur_.size() && !isspace(cur_[i]) && cur_[i] != ';' && - cur_[i] != '&') { - i++; + while (i < cur_.size() && !isspace(cur_[i]) && cur_[i] != ';' && + cur_[i] != '&') { + i++; + } } *tok = cur_.substr(0, i);