Fix off-by-one in String::substring

matthijskooijman · matthijskooijman · commit 04dba1e46f03 · 2014-09-10T13:42:06.000+02:00
When checking the `left` argument, it previously allowed having
left == len. However, this means the substring starts one past the last
character in the string and should return the empty string. In practice,
this already worked correctly, because buffer[len] contains the trailing
nul, so it would (re)assign the empty string to `out`.

However, fixing this check makes it a bit more logical, and prevents a
fairly unlikely out-of-buffer write (to address 0x0) when calling
substring on an invalidated String:

	String bar = (char*)NULL;
	bar.substring(0, 0);
diff --git a/hardware/arduino/avr/cores/arduino/WString.cpp b/hardware/arduino/avr/cores/arduino/WString.cpp
@@ -619,7 +619,7 @@ String String::substring(unsigned int left, unsigned int right) const
 		left = temp;
 	}
 	String out;
-	if (left > len) return out;
+	if (left >= len) return out;
 	if (right > len) right = len;
 	char temp = buffer[right];  // save the replaced character
 	buffer[right] = '\0';	

Original file line number	Diff line number	Diff line change
`@@ -619,7 +619,7 @@ String String::substring(unsigned int left, unsigned int right) const`
`619`	`619`	`left = temp;`
`620`	`620`	`}`
`621`	`621`	`String out;`
`622`		`- if (left > len) return out;`
	`622`	`+ if (left >= len) return out;`
`623`	`623`	`if (right > len) right = len;`
`624`	`624`	`char temp = buffer[right]; // save the replaced character`
`625`	`625`	`buffer[right] = '\0';`