There is a bug with op_in such that when certain buffers are searched
for in other buffers, it will return values larger than the length of
the second buffer.
To demonstrate:
;`[10,10] in `[13,10,13,10]
=> 545
This is caused by giving a memchr a negative Int for length, which gets
cast to a large, positive size_t.
A simple fix is to check the length before giving it to memchr, and
return zero if the length goes negative.
--- Genesis/src/ops/operators.c Tue Jul 13 17:07:48 1999
+++ Genesis/src/ops/operators.c.new Mon Jun 4 16:34:32 2001
@@ -2293,6 +2293,7 @@
break;
}
len -= (p - s) + 1;
+ if (len <= 0) break;
p = (uchar *) memchr(p + 1, *ss, len);
}
}
|