Fix irrString use-after-free with char-like assignment (operator=)

2024-12-30 09:57:29 +01:00 · 2024-10-04 04:45:09 -04:00 · 2024-10-04 04:45:09 -04:00 · 05cbd84ae0
commit 05cbd84ae0
parent 84b9321977
1 changed files with 15 additions and 4 deletions
--- a/irr/include/irrString.h
+++ b/irr/include/irrString.h
@ -173,13 +173,24 @@ public:
 			return *this;
 		}

-		// no longer allowed!
-		_IRR_DEBUG_BREAK_IF((void *)c == (void *)c_str());
+		if constexpr (sizeof(T) != sizeof(B)) {
+			_IRR_DEBUG_BREAK_IF(
+				(uintptr_t)c >= (uintptr_t)(str.data()) &&
+				(uintptr_t)c <  (uintptr_t)(str.data() + str.size()));
+		}
+
+		if ((void *)c == (void *)c_str())
+			return *this;

 		u32 len = calclen(c);
-		str.resize(len);
+		// In case `c` is a pointer to our own buffer, we may not resize first
+		// or it can become invalid.
+		if (len > str.size())
+			str.resize(len);
 		for (u32 l = 0; l < len; ++l)
-			str[l] = (T)c[l];
+			str[l] = static_cast<T>(c[l]);
+		if (len < str.size())
+			str.resize(len);

 		return *this;
 	}