From 04dba1e46f030e7e59e6bf27d042347a0acc06ee Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 24 Apr 2014 22:57:27 +0200 Subject: [PATCH] Fix off-by-one in String::substring When checking the `left` argument, it previously allowed having left == len. However, this means the substring starts one past the last character in the string and should return the empty string. In practice, this already worked correctly, because buffer[len] contains the trailing nul, so it would (re)assign the empty string to `out`. However, fixing this check makes it a bit more logical, and prevents a fairly unlikely out-of-buffer write (to address 0x0) when calling substring on an invalidated String: String bar = (char*)NULL; bar.substring(0, 0); --- hardware/arduino/avr/cores/arduino/WString.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardware/arduino/avr/cores/arduino/WString.cpp b/hardware/arduino/avr/cores/arduino/WString.cpp index f494094bd..dcd469d7d 100644 --- a/hardware/arduino/avr/cores/arduino/WString.cpp +++ b/hardware/arduino/avr/cores/arduino/WString.cpp @@ -619,7 +619,7 @@ String String::substring(unsigned int left, unsigned int right) const left = temp; } String out; - if (left > len) return out; + if (left >= len) return out; if (right > len) right = len; char temp = buffer[right]; // save the replaced character buffer[right] = '\0';