Fix memory overflow bug in memcmp implementation

zakcutner · zakcutner · commit bb23ba48baac · 2020-08-28T10:50:21.000+01:00
diff --git a/src/memcmp.rs b/src/memcmp.rs
@@ -1,100 +1,173 @@
 #![allow(dead_code)]
 
+use std::slice;
+
 #[inline]
-pub unsafe fn memcmp0(_: &[u8], _: &[u8]) -> bool {
+pub unsafe fn memcmp0(_: *const u8, _: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 0);
     true
 }
 
 #[inline]
-pub unsafe fn memcmp1(left: &[u8], right: &[u8]) -> bool {
+pub unsafe fn memcmp1(left: *const u8, right: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 1);
     *left == *right
 }
 
 #[inline]
-pub unsafe fn memcmp2(left: &[u8], right: &[u8]) -> bool {
-    let left = left.as_ptr().cast::<u16>();
-    let right = right.as_ptr().cast::<u16>();
+pub unsafe fn memcmp2(left: *const u8, right: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 2);
+    let left = left.cast::<u16>();
+    let right = right.cast::<u16>();
     *left == *right
 }
 
 #[inline]
-pub unsafe fn memcmp3(left: &[u8], right: &[u8]) -> bool {
-    let left = left.as_ptr().cast::<u32>();
-    let right = right.as_ptr().cast::<u32>();
-    (*left & 0x00ffffff) == (*right & 0x00ffffff)
+pub unsafe fn memcmp3(left: *const u8, right: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 3);
+    memcmp2(left, right, 2) && memcmp1(left.add(2), right.add(2), 1)
 }
 
 #[inline]
-pub unsafe fn memcmp4(left: &[u8], right: &[u8]) -> bool {
-    let left = left.as_ptr().cast::<u32>();
-    let right = right.as_ptr().cast::<u32>();
+pub unsafe fn memcmp4(left: *const u8, right: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 4);
+    let left = left.cast::<u32>();
+    let right = right.cast::<u32>();
     *left == *right
 }
 
 #[inline]
-pub unsafe fn memcmp5(left: &[u8], right: &[u8]) -> bool {
-    let left = left.as_ptr().cast::<u64>();
-    let right = right.as_ptr().cast::<u64>();
-    (*left ^ *right).trailing_zeros() >= 40
+pub unsafe fn memcmp5(left: *const u8, right: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 5);
+    memcmp4(left, right, 4) && memcmp1(left.add(4), right.add(4), 1)
 }
 
 #[inline]
-pub unsafe fn memcmp6(left: &[u8], right: &[u8]) -> bool {
-    let left = left.as_ptr().cast::<u64>();
-    let right = right.as_ptr().cast::<u64>();
-    (*left ^ *right).trailing_zeros() >= 48
+pub unsafe fn memcmp6(left: *const u8, right: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 6);
+    memcmp4(left, right, 4) && memcmp2(left.add(4), right.add(4), 2)
 }
 
-#[allow(dead_code)]
 #[inline]
-pub unsafe fn memcmp7(left: &[u8], right: &[u8]) -> bool {
-    let left = left.as_ptr().cast::<u64>();
-    let right = right.as_ptr().cast::<u64>();
-    (*left ^ *right).trailing_zeros() >= 56
+pub unsafe fn memcmp7(left: *const u8, right: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 7);
+    memcmp4(left, right, 4) && memcmp3(left.add(4), right.add(4), 3)
 }
 
 #[inline]
-pub unsafe fn memcmp8(left: &[u8], right: &[u8]) -> bool {
-    let left = left.as_ptr().cast::<u64>();
-    let right = right.as_ptr().cast::<u64>();
+pub unsafe fn memcmp8(left: *const u8, right: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 8);
+    let left = left.cast::<u64>();
+    let right = right.cast::<u64>();
     *left == *right
 }
 
 #[inline]
-pub unsafe fn memcmp9(left: &[u8], right: &[u8]) -> bool {
-    let left_first = left.as_ptr().cast::<u64>();
-    let right_first = right.as_ptr().cast::<u64>();
-    *left_first == *right_first && *left.as_ptr().add(8) == *right.as_ptr().add(8)
+pub unsafe fn memcmp9(left: *const u8, right: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 9);
+    memcmp8(left, right, 8) && memcmp1(left.add(8), right.add(8), 1)
 }
 
 #[inline]
-pub unsafe fn memcmp10(left: &[u8], right: &[u8]) -> bool {
-    let left_first = left.as_ptr().cast::<u64>();
-    let right_first = right.as_ptr().cast::<u64>();
-    let left_second = left.as_ptr().add(8).cast::<u16>();
-    let right_second = right.as_ptr().add(8).cast::<u16>();
-    *left_first == *right_first && *left_second == *right_second
+pub unsafe fn memcmp10(left: *const u8, right: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 10);
+    memcmp8(left, right, 8) && memcmp2(left.add(8), right.add(8), 2)
 }
 
 #[inline]
-pub unsafe fn memcmp11(left: &[u8], right: &[u8]) -> bool {
-    let left_first = left.as_ptr().cast::<u64>();
-    let right_first = right.as_ptr().cast::<u64>();
-    let left_second = left.as_ptr().add(8).cast::<u32>();
-    let right_second = right.as_ptr().add(8).cast::<u32>();
-    *left_first == *right_first && (*left_second & 0x00ffffff) == (*right_second & 0x00ffffff)
+pub unsafe fn memcmp11(left: *const u8, right: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 11);
+    memcmp8(left, right, 8) && memcmp3(left.add(8), right.add(8), 3)
 }
 
 #[inline]
-pub unsafe fn memcmp12(left: &[u8], right: &[u8]) -> bool {
-    let left_first = left.as_ptr().cast::<u64>();
-    let right_first = right.as_ptr().cast::<u64>();
-    let left_second = left.as_ptr().add(8).cast::<u32>();
-    let right_second = right.as_ptr().add(8).cast::<u32>();
-    *left_first == *right_first && *left_second == *right_second
+pub unsafe fn memcmp12(left: *const u8, right: *const u8, n: usize) -> bool {
+    debug_assert_eq!(n, 12);
+    memcmp8(left, right, 8) && memcmp4(left.add(8), right.add(8), 4)
 }
 
 #[inline]
-pub unsafe fn memcmp(left: &[u8], right: &[u8]) -> bool {
-    left == right
+pub unsafe fn memcmp(left: *const u8, right: *const u8, n: usize) -> bool {
+    slice::from_raw_parts(left, n) == slice::from_raw_parts(right, n)
+}
+
+#[cfg(test)]
+mod tests {
+    fn memcmp(f: unsafe fn(*const u8, *const u8, usize) -> bool, n: usize) {
+        let left = vec![b'0'; n];
+        unsafe { assert!(f(left.as_ptr(), left.as_ptr(), n)) };
+        unsafe { assert!(super::memcmp(left.as_ptr(), left.as_ptr(), n)) };
+
+        for i in 0..n {
+            let mut right = left.clone();
+            right[i] = b'1';
+            unsafe { assert!(!f(left.as_ptr(), right.as_ptr(), n)) };
+            unsafe { assert!(!super::memcmp(left.as_ptr(), right.as_ptr(), n)) };
+        }
+    }
+
+    #[test]
+    fn memcmp0() {
+        memcmp(super::memcmp0, 0);
+    }
+
+    #[test]
+    fn memcmp1() {
+        memcmp(super::memcmp1, 1);
+    }
+
+    #[test]
+    fn memcmp2() {
+        memcmp(super::memcmp2, 2);
+    }
+
+    #[test]
+    fn memcmp3() {
+        memcmp(super::memcmp3, 3);
+    }
+
+    #[test]
+    fn memcmp4() {
+        memcmp(super::memcmp4, 4);
+    }
+
+    #[test]
+    fn memcmp5() {
+        memcmp(super::memcmp5, 5);
+    }
+
+    #[test]
+    fn memcmp6() {
+        memcmp(super::memcmp6, 6);
+    }
+
+    #[test]
+    fn memcmp7() {
+        memcmp(super::memcmp7, 7);
+    }
+
+    #[test]
+    fn memcmp8() {
+        memcmp(super::memcmp8, 8);
+    }
+
+    #[test]
+    fn memcmp9() {
+        memcmp(super::memcmp9, 9);
+    }
+
+    #[test]
+    fn memcmp10() {
+        memcmp(super::memcmp10, 10);
+    }
+
+    #[test]
+    fn memcmp11() {
+        memcmp(super::memcmp11, 11);
+    }
+
+    #[test]
+    fn memcmp12() {
+        memcmp(super::memcmp12, 12);
+    }
 }
diff --git a/src/x86/avx2/deprecated/original.rs b/src/x86/avx2/deprecated/original.rs
@@ -3,7 +3,6 @@ use crate::{bits::clear_leftmost_set, memcmp::*};
 use std::arch::x86::*;
 #[cfg(target_arch = "x86_64")]
 use std::arch::x86_64::*;
-use std::slice::from_raw_parts;
 
 #[inline]
 #[target_feature(enable = "avx2")]
@@ -12,7 +11,7 @@ unsafe fn strstr_avx2_original_memcmp(
     n: usize,
     needle: *const u8,
     k: usize,
-    memcmp: unsafe fn(&[u8], &[u8]) -> bool,
+    memcmp: unsafe fn(*const u8, *const u8, usize) -> bool,
 ) -> Option<usize> {
     let first = _mm256_set1_epi8(*needle as i8);
     let last = _mm256_set1_epi8(*needle.add(k - 1) as i8);
@@ -32,10 +31,7 @@ unsafe fn strstr_avx2_original_memcmp(
         while mask != 0 {
             let bitpos = mask.trailing_zeros() as usize;
             let startpos = i + bitpos + 1;
-            if memcmp(
-                from_raw_parts(haystack.add(startpos), k - 2),
-                from_raw_parts(needle.add(1), k - 2),
-            ) {
+            if memcmp(haystack.add(startpos), needle.add(1), k - 2) {
                 return Some(i + bitpos);
             }
             mask = clear_leftmost_set(mask);
@@ -78,14 +74,12 @@ pub unsafe fn strstr_avx2_original(haystack: &[u8], needle: &[u8]) -> bool {
             needle.len(),
             memcmp2,
         ),
-        // Note: use memcmp4 rather memcmp3, as the last character of needle is already proven to be
-        // equal
         5 => strstr_avx2_original_memcmp(
             haystack.as_ptr(),
             haystack.len(),
             needle.as_ptr(),
             needle.len(),
-            memcmp4,
+            memcmp3,
         ),
         6 => strstr_avx2_original_memcmp(
             haystack.as_ptr(),
@@ -108,13 +102,12 @@ pub unsafe fn strstr_avx2_original(haystack: &[u8], needle: &[u8]) -> bool {
             needle.len(),
             memcmp6,
         ),
-        // Note: use memcmp8 rather memcmp7 for the same reason as above.
         9 => strstr_avx2_original_memcmp(
             haystack.as_ptr(),
             haystack.len(),
             needle.as_ptr(),
             needle.len(),
-            memcmp8,
+            memcmp7,
         ),
         10 => strstr_avx2_original_memcmp(
             haystack.as_ptr(),
diff --git a/src/x86/avx2/deprecated/rust.rs b/src/x86/avx2/deprecated/rust.rs
@@ -11,7 +11,7 @@ use std::arch::x86_64::*;
 unsafe fn strstr_avx2_rust_memcmp(
     haystack: &[u8],
     needle: &[u8],
-    memcmp: unsafe fn(&[u8], &[u8]) -> bool,
+    memcmp: unsafe fn(*const u8, *const u8, usize) -> bool,
 ) -> bool {
     if haystack.len() < 32 {
         return strstr_rabin_karp(haystack, needle);
@@ -35,8 +35,9 @@ unsafe fn strstr_avx2_rust_memcmp(
             let startpos = i + bitpos;
             if startpos + needle.len() <= haystack.len()
                 && memcmp(
-                    &haystack[(startpos + 1)..(startpos + needle.len() - 1)],
-                    &needle[1..needle.len() - 1],
+                    haystack.as_ptr().add(startpos + 1),
+                    needle.as_ptr().add(1),
+                    needle.len() - 2,
                 )
             {
                 return true;
@@ -90,11 +91,11 @@ pub unsafe fn strstr_avx2_rust(haystack: &[u8], needle: &[u8]) -> bool {
         2 => strstr_avx2_rust_memcmp(haystack, needle, memcmp0),
         3 => strstr_avx2_rust_memcmp(haystack, needle, memcmp1),
         4 => strstr_avx2_rust_memcmp(haystack, needle, memcmp2),
-        5 => strstr_avx2_rust_memcmp(haystack, needle, memcmp4),
+        5 => strstr_avx2_rust_memcmp(haystack, needle, memcmp3),
         6 => strstr_avx2_rust_memcmp(haystack, needle, memcmp4),
         7 => strstr_avx2_rust_memcmp(haystack, needle, memcmp5),
         8 => strstr_avx2_rust_memcmp(haystack, needle, memcmp6),
-        9 => strstr_avx2_rust_memcmp(haystack, needle, memcmp8),
+        9 => strstr_avx2_rust_memcmp(haystack, needle, memcmp7),
         10 => strstr_avx2_rust_memcmp(haystack, needle, memcmp8),
         11 => strstr_avx2_rust_memcmp(haystack, needle, memcmp9),
         12 => strstr_avx2_rust_memcmp(haystack, needle, memcmp10),
diff --git a/src/x86/avx2/mod.rs b/src/x86/avx2/mod.rs
@@ -246,9 +246,12 @@ macro_rules! avx2_searcher {
                 let mut eq = (Vector::movemask_epi8(eq) & mask) as u32;
 
                 let start = start as usize - haystack.as_ptr() as usize;
+                let chunk = haystack.as_ptr().add(start + 1);
+                let needle = self.needle.as_ptr().add(1);
+
                 while eq != 0 {
-                    let chunk = &haystack[start + eq.trailing_zeros() as usize..];
-                    if $memcmp(&chunk[1..self.size()], &self.needle[1..]) {
+                    let chunk = chunk.add(eq.trailing_zeros() as usize);
+                    if $memcmp(chunk, needle, self.size() - 1) {
                         return true;
                     }
 
