On Wed, May 11, 2022 at 04:22:31PM +0200, Theo Buehler wrote:
> On Wed, May 11, 2022 at 04:05:33PM +0200, Stefan Sperling wrote:
> > If the child path is a NUL-terminated C string shorter than the parent
> > path, and the child path matches the parent path up the child's end,
> > then we end up with an out-of-bounds read.
> 
> In this situation the child's terminating NUL is smaller than the
> corresponding non-zero byte of the parent, so strncmp() will return > 0
> without going further. That's one reason why the manual says "The
> strncmp() function compares at most len characters."
> 
> The C standard also explicitly says "characters that follow a null
> character are not compared", so I think we can rely on that and there is
> no out-of-bounds read.

Ah, yes, that makes sense. Thank you!
I somehow believed it would stop comparing as soon as a NUL byte is
encountered on either side.

Closing as "not-a-bug" then, the best kind of bug :)