Strchr: Ensure that the string is long enough to include the found ch…

…aracter (angr#3251) * Strchr: Ensure that the string is long enough to include the found character * strchr: Fix search for NULL byte * strchr: Push the handling of NULL into the constraint Co-authored-by: Edward J. Schwartz <[email protected]>
jomanchu-twosix · Mar 30, 2022 · 884fb07 · 884fb07
1 parent dc0b2df
commit 884fb07
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/angr/procedures/libc/strchr.py b/angr/procedures/libc/strchr.py
@@ -30,6 +30,14 @@ def run(self, s_addr, c_int, s_strlen=None):
             a = a.annotate(MultiwriteAnnotation())
             self.state.add_constraints(*c)
 
+        # If we found the character we are looking for, we need to
+        # ensure that the string length is long enough to include
+        # the character!
+        chrpos = a - s_addr
+        self.state.add_constraints(self.state.solver.If(a != 0,
+                                                        chrpos <= s_strlen.ret_expr,
+                                                        True))
+
         return a
         #self.state.add_constraints(self.state.solver.ULT(a - s_addr, s_strlen.ret_expr))
         #self.max_chr_index = max(i)