fix: ci_is_less OOB read

alandefreitas · alandefreitas · commit d045d71fdc92 · 2026-03-02T19:44:17.000-05:00
diff --git a/src/grammar/ci_string.cpp b/src/grammar/ci_string.cpp
@@ -62,15 +62,16 @@ ci_is_less(
 {
     auto p1 = s0.data();
     auto p2 = s1.data();
-    for(auto n = s0.size();n--;)
+    auto n = s0.size() < s1.size()
+        ? s0.size() : s1.size();
+    while(n--)
     {
         auto c1 = to_lower(*p1++);
         auto c2 = to_lower(*p2++);
         if(c1 != c2)
             return c1 < c2;
     }
-    // equal
-    return false;
+    return s0.size() < s1.size();
 }
 
 } // detail
diff --git a/test/unit/grammar/ci_string.cpp b/test/unit/grammar/ci_string.cpp
@@ -110,6 +110,12 @@ class ascii_test
         static_assert(std::is_same<
             decltype(ci_less{}("a", "b")),
             bool>::value, "");
+
+        // ci_is_less with mismatched lengths
+        // (OOB read regression)
+        BOOST_TEST(ci_is_less("ab", "abc"));
+        BOOST_TEST(! ci_is_less("abc", "ab"));
+        BOOST_TEST(! ci_is_less("ABC", "ab"));
     }
 
     void
