Fix potential invalid memory access in StringSplitter (#2996)

gitccl · web-flow · commit 10f8b24b96ba · 2025-06-16T10:07:04.000+08:00
diff --git a/src/butil/string_splitter_inl.h b/src/butil/string_splitter_inl.h
@@ -47,9 +47,9 @@ void StringSplitter::init() {
     // Find the starting _head and _tail.
     if (__builtin_expect(_head != NULL, 1)) {
         if (_empty_field_action == SKIP_EMPTY_FIELD) {
-            for (; _sep == *_head && not_end(_head); ++_head) {}
+            for (; not_end(_head) && *_head == _sep; ++_head) {}
         }
-        for (_tail = _head; *_tail != _sep && not_end(_tail); ++_tail) {}
+        for (_tail = _head; not_end(_tail) && *_tail != _sep; ++_tail) {}
     } else {
         _tail = NULL;
     }
@@ -60,11 +60,11 @@ StringSplitter& StringSplitter::operator++() {
         if (not_end(_tail)) {
             ++_tail;
             if (_empty_field_action == SKIP_EMPTY_FIELD) {
-                for (; _sep == *_tail && not_end(_tail); ++_tail) {}
+                for (; not_end(_tail) && *_tail == _sep; ++_tail) {}
             }
         }
         _head = _tail;
-        for (; *_tail != _sep && not_end(_tail); ++_tail) {}
+        for (; not_end(_tail) && *_tail != _sep; ++_tail) {}
     }
     return *this;
 }
@@ -189,9 +189,9 @@ StringMultiSplitter::StringMultiSplitter (
 void StringMultiSplitter::init() {
     if (__builtin_expect(_head != NULL, 1)) {
         if (_empty_field_action == SKIP_EMPTY_FIELD) {
-            for (; is_sep(*_head) && not_end(_head); ++_head) {}
+            for (; not_end(_head) && is_sep(*_head); ++_head) {}
         }
-        for (_tail = _head; !is_sep(*_tail) && not_end(_tail); ++_tail) {}
+        for (_tail = _head; not_end(_tail) && !is_sep(*_tail); ++_tail) {}
     } else {
         _tail = NULL;
     }
@@ -202,11 +202,11 @@ StringMultiSplitter& StringMultiSplitter::operator++() {
         if (not_end(_tail)) {
             ++_tail;
             if (_empty_field_action == SKIP_EMPTY_FIELD) {
-                for (; is_sep(*_tail) && not_end(_tail); ++_tail) {}
+                for (; not_end(_tail) && is_sep(*_tail); ++_tail) {}
             }
         }
         _head = _tail;
-        for (; !is_sep(*_tail) && not_end(_tail); ++_tail) {}
+        for (; not_end(_tail) && !is_sep(*_tail); ++_tail) {}
     }
     return *this;
 }
diff --git a/test/string_splitter_unittest.cpp b/test/string_splitter_unittest.cpp
@@ -354,6 +354,51 @@ TEST_F(StringSplitterTest, split_limit_len) {
     ASSERT_FALSE(ss3);
 }
 
+TEST_F(StringSplitterTest, non_null_terminated_string) {
+    const char str[] = "  a non  null   terminated  string   ";
+    const size_t len = strlen(str);
+    char* buf = new char[len];
+    memcpy(buf, str, len);
+
+    butil::StringSplitter ss(buf, buf + len, ' ');
+
+    // "a"
+    ASSERT_TRUE(ss != NULL);
+    ASSERT_EQ(1ul, ss.length());
+    ASSERT_EQ(ss.field(), buf + 2);
+
+    // "non"
+    ++ss;
+    ASSERT_TRUE(ss != NULL);
+    ASSERT_EQ(3ul, ss.length());
+    ASSERT_EQ(ss.field(), buf + 4);
+
+    // "null"
+    ++ss;
+    ASSERT_TRUE(ss != NULL);
+    ASSERT_EQ(4ul, ss.length());
+    ASSERT_EQ(ss.field(), buf + 9);
+
+    // "terminated"
+    ++ss;
+    ASSERT_TRUE(ss != NULL);
+    ASSERT_EQ(10ul, ss.length());
+    ASSERT_EQ(ss.field(), buf + 16);
+
+    // "string"
+    ++ss;
+    ASSERT_TRUE(ss != NULL);
+    ASSERT_EQ(6ul, ss.length());
+    ASSERT_EQ(ss.field(), buf + 28);
+
+    ++ss;
+    ASSERT_FALSE(ss);
+    ASSERT_EQ(0ul, ss.length());
+    ASSERT_EQ(ss.field(), buf + len);
+
+    delete[] buf;
+}
+
 TEST_F(StringSplitterTest, key_value_pairs_splitter_sanity) {
     std::string kvstr = "key1=value1&&&key2=value2&key3=value3&===&key4=&=&=value5";
     for (int i = 0 ; i < 3; ++i) {

Original file line number	Diff line number	Diff line change
`@@ -47,9 +47,9 @@ void StringSplitter::init() {`
`47`	`47`	`// Find the starting _head and _tail.`
`48`	`48`	`if (__builtin_expect(_head != NULL, 1)) {`
`49`	`49`	`if (_empty_field_action == SKIP_EMPTY_FIELD) {`
`50`		`- for (; _sep == *_head && not_end(_head); ++_head) {}`
	`50`	`+ for (; not_end(_head) && *_head == _sep; ++_head) {}`
`51`	`51`	`}`
`52`		`- for (_tail = _head; *_tail != _sep && not_end(_tail); ++_tail) {}`
	`52`	`+ for (_tail = _head; not_end(_tail) && *_tail != _sep; ++_tail) {}`
`53`	`53`	`} else {`
`54`	`54`	`_tail = NULL;`
`55`	`55`	`}`
`@@ -60,11 +60,11 @@ StringSplitter& StringSplitter::operator++() {`
`60`	`60`	`if (not_end(_tail)) {`
`61`	`61`	`++_tail;`
`62`	`62`	`if (_empty_field_action == SKIP_EMPTY_FIELD) {`
`63`		`- for (; _sep == *_tail && not_end(_tail); ++_tail) {}`
	`63`	`+ for (; not_end(_tail) && *_tail == _sep; ++_tail) {}`
`64`	`64`	`}`
`65`	`65`	`}`
`66`	`66`	`_head = _tail;`
`67`		`- for (; *_tail != _sep && not_end(_tail); ++_tail) {}`
	`67`	`+ for (; not_end(_tail) && *_tail != _sep; ++_tail) {}`
`68`	`68`	`}`
`69`	`69`	`return *this;`
`70`	`70`	`}`
`@@ -189,9 +189,9 @@ StringMultiSplitter::StringMultiSplitter (`
`189`	`189`	`void StringMultiSplitter::init() {`
`190`	`190`	`if (__builtin_expect(_head != NULL, 1)) {`
`191`	`191`	`if (_empty_field_action == SKIP_EMPTY_FIELD) {`
`192`		`- for (; is_sep(*_head) && not_end(_head); ++_head) {}`
	`192`	`+ for (; not_end(_head) && is_sep(*_head); ++_head) {}`
`193`	`193`	`}`
`194`		`- for (_tail = _head; !is_sep(*_tail) && not_end(_tail); ++_tail) {}`
	`194`	`+ for (_tail = _head; not_end(_tail) && !is_sep(*_tail); ++_tail) {}`
`195`	`195`	`} else {`
`196`	`196`	`_tail = NULL;`
`197`	`197`	`}`
`@@ -202,11 +202,11 @@ StringMultiSplitter& StringMultiSplitter::operator++() {`
`202`	`202`	`if (not_end(_tail)) {`
`203`	`203`	`++_tail;`
`204`	`204`	`if (_empty_field_action == SKIP_EMPTY_FIELD) {`
`205`		`- for (; is_sep(*_tail) && not_end(_tail); ++_tail) {}`
	`205`	`+ for (; not_end(_tail) && is_sep(*_tail); ++_tail) {}`
`206`	`206`	`}`
`207`	`207`	`}`
`208`	`208`	`_head = _tail;`
`209`		`- for (; !is_sep(*_tail) && not_end(_tail); ++_tail) {}`
	`209`	`+ for (; not_end(_tail) && !is_sep(*_tail); ++_tail) {}`
`210`	`210`	`}`
`211`	`211`	`return *this;`
`212`	`212`	`}`