Bug in several String functions, out of bounds crash

[TD-er]

Board

Any

Device Description

Hardware Configuration

Version

latest master (checkout manually)

IDE Name

PlatformIO

Operating System

Windows 11

Flash frequency

40MHz

PSRAM enabled

yes

Upload speed

115200

Description

See similar issue for ESP8266: esp8266/Arduino#9110

In several String functions, wbuffer()[N] is used where N might be the size of the allocated buffer.
For example: (line 313)

arduino-esp32/cores/esp32/WString.cpp

Lines 300 to 318 in f2026f1

	bool String::concat(const String &s) {
	// Special case if we're concatting ourself (s += s;) since we may end up
	// realloc'ing the buffer and moving s.buffer in the method called
	if (&s == this) {
	unsigned int newlen = 2 * len();
	if (!s.buffer())
	return false;
	if (s.len() == 0)
	return true;
	if (!reserve(newlen))
	return false;
	memmove(wbuffer() + len(), buffer(), len());
	setLen(newlen);
	wbuffer()[len()] = 0;
	return true;
	} else {
	return concat(s.buffer(), s.len());
	}
	}

And this part in String::replace:

arduino-esp32/cores/esp32/WString.cpp

Lines 772 to 780 in f2026f1

	while(index >= 0 && (index = lastIndexOf(find, index)) >= 0) {
	readFrom = wbuffer() + index + find.len();
	memmove(readFrom + diff, readFrom, len() - (readFrom - buffer()));
	int newLen = len() + diff;
	memmove(wbuffer() + index, replace.buffer(), replace.len());
	setLen(newLen);
	wbuffer()[newLen] = 0;
	index--;
	}

Also this one tries to copy past the allocated buffer:

arduino-esp32/cores/esp32/WString.cpp

Lines 223 to 231 in 654aead

	String & String::copy(const char *cstr, unsigned int length) {
	if(!reserve(length)) {
	invalidate();
	return *this;
	}
	memmove(wbuffer(), cstr, length + 1);
	setLen(length);
	return *this;
	}

And this one: (lines 330 and 333)

arduino-esp32/cores/esp32/WString.cpp

Lines 320 to 336 in 654aead

	bool String::concat(const char *cstr, unsigned int length) {
	unsigned int newlen = len() + length;
	if(!cstr)
	return false;
	if(length == 0)
	return true;
	if(!reserve(newlen))
	return false;
	if (cstr >= wbuffer() && cstr < wbuffer() + len())
	// compatible with SSO in ram #6155 (case "x += x.c_str()")
	memmove(wbuffer() + len(), cstr, length + 1);
	else
	// compatible with source in flash #6367
	memcpy_P(wbuffer() + len(), cstr, length + 1);
	setLen(newlen);
	return true;
	}

Maybe the simplest fix might be to adapt String::changeBuffer:

size_t newSize = (maxStrLen + 16 + 1) & (~0xf);

Sketch

-

Debug Message

-

Other Steps to Reproduce

No response

I have checked existing issues, online documentation and the Troubleshooting Guide

• I confirm I have checked existing issues, online documentation and Troubleshooting guide.

[TD-er]

My assumption on size_t newSize = (maxStrLen + 16) & (~0xf); was incorrect, so I will close this issue till I found the real cause....