py/objstr: Don't crash when end < start

jepler · jepler · commit 0041df0c6b49 · 2018-03-31T22:17:11.000-05:00
.. and add testcases for the same.

(crash found by afl-fuzz)
diff --git a/py/objstr.c b/py/objstr.c
@@ -692,8 +692,13 @@ STATIC mp_obj_t str_finder(size_t n_args, const mp_obj_t *args, int direction, b
         end = str_index_to_ptr(self_type, haystack, haystack_len, args[3], true);
     }
 
+    if (end < start) {
+        goto out_error;
+    }
+
     const byte *p = find_subbytes(start, end - start, needle, needle_len, direction);
     if (p == NULL) {
+    out_error:
         // not found
         if (is_index) {
             mp_raise_ValueError("substring not found");
diff --git a/tests/basics/string_find.py b/tests/basics/string_find.py
@@ -21,6 +21,7 @@
 print("0000".find('1', 3))
 print("0000".find('1', 4))
 print("0000".find('1', 5))
+print("aaaaaaaaaaa".find("bbb", 9, 2))
 
 try:
     'abc'.find(1)
diff --git a/tests/basics/string_rfind.py b/tests/basics/string_rfind.py
@@ -21,3 +21,4 @@
 print("0000".rfind('1', 3))
 print("0000".rfind('1', 4))
 print("0000".rfind('1', 5))
+print("aaaaaaaaaaa".rfind("bbb", 9, 2))
