From 14141bb4a6ea528b4c0b9295aa64348f7a675735 Mon Sep 17 00:00:00 2001
From: Paul Floyd <pjfloyd@wanadoo.fr>
Date: Wed, 1 May 2024 09:24:14 +0200
Subject: [PATCH 03/11] Bug 486293 - memccpy false positives

(cherry picked from commit 805c020c6e5161966e6eb0099ebe937a510cea9e)
---
 NEWS                               |  1 +
 memcheck/tests/memccpy2.c          | 20 ++++++++++++++++++++
 memcheck/tests/memccpy2.stderr.exp |  4 ++--
 shared/vg_replace_strmem.c         |  4 ++--
 4 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index c40e00cce46b..f674191a286a 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ Branch 3.23
 The following bugs have been fixed or resolved on this branch.
 
 486180  [MIPS] 'VexGuestArchState' has no member named 'guest_IP_AT_SYSCALL'
+486293  memccpy false positives
 
 To see details of a given bug, visit
   https://bugs.kde.org/show_bug.cgi?id=XXXXXX
diff --git a/memcheck/tests/memccpy2.c b/memcheck/tests/memccpy2.c
index a5a1dfc9f0af..947324581715 100644
--- a/memcheck/tests/memccpy2.c
+++ b/memcheck/tests/memccpy2.c
@@ -1,6 +1,8 @@
 #include <ctype.h>
 #include <stdio.h>
 #include <string.h>
+#include <assert.h>
+#include <stdlib.h>
  
 int main(void)
 {
@@ -9,5 +11,23 @@ int main(void)
    memccpy(astring+10, astring, '#', len-10);
    sprintf(astring, "this is a string # with something to seek");
    memccpy(astring, astring+10, '#', len);
+   
+   sprintf(astring, "this is a string # with something to seek");
+   /*
+    * space is earlier than len, no overlap
+    * "this " gets copied (up to and including the first ' ')
+    * and it overwrites the destination starting with the 's' of "string"
+    * so res will point to the 'g' of "string"
+    */
+   char* res = memccpy(astring+10, astring, ' ', len-10);
+   assert(res && *res == 'g');
+   sprintf(astring, "this is a string # with something to seek");
+   /* length is 0, nothing copied, returns NULL */
+   res = memccpy(astring, "abcdefhhijklmnopqrstuvwxy", 'z', 0);
+   assert(NULL == res);
+   /* 'z' not found so 20 bytes copied, returns NULL */
+   res = memccpy(astring, "abcdefhhijklmnopqrstuvwxy", 'z', 20);
+   assert(NULL == res);
+   free(astring);
 }
 
diff --git a/memcheck/tests/memccpy2.stderr.exp b/memcheck/tests/memccpy2.stderr.exp
index 0132ef06c56a..240ce925c182 100644
--- a/memcheck/tests/memccpy2.stderr.exp
+++ b/memcheck/tests/memccpy2.stderr.exp
@@ -1,8 +1,8 @@
 Source and destination overlap in memccpy(0x........, 0x........, 31)
    at 0x........: memccpy (vg_replace_strmem.c:...)
-   by 0x........: main (memccpy2.c:9)
+   by 0x........: main (memccpy2.c:11)
 
 Source and destination overlap in memccpy(0x........, 0x........, 41)
    at 0x........: memccpy (vg_replace_strmem.c:...)
-   by 0x........: main (memccpy2.c:11)
+   by 0x........: main (memccpy2.c:13)
 
diff --git a/shared/vg_replace_strmem.c b/shared/vg_replace_strmem.c
index 737abbf67898..ae13a2a5f87a 100644
--- a/shared/vg_replace_strmem.c
+++ b/shared/vg_replace_strmem.c
@@ -2364,9 +2364,9 @@ static inline void my_exit ( int x )
       \
       while (i-- > 0) \
          if ((*d++ = *s++) == x) { \
-            SizeT srclen = (i < len) ? i : len; \
+            SizeT srclen = len - i; \
             RECORD_COPY(srclen); \
-            if (is_overlap(dst, src, srclen, srclen)) \
+            if (is_overlap(dst, src, len, srclen)) \
                RECORD_OVERLAP_ERROR("memccpy", dst, src, len); \
             return d; \
          } \
-- 
2.45.2