Merge branch 'did-sanity-memmem' into 'main'

add sanity check in tor_memmem

Closes #40854

See merge request tpo/core/tor!785

changes/ticket40854

+  o Minor feature (defense in depth):
+    - verify needle is smaller than haystack before calling memmem.
+      Closes ticket 40854.

src/lib/string/util_string.c

@@ -31,6 +31,8 @@ tor_memmem(const void *_haystack, size_t hlen,
 {
 #if defined(HAVE_MEMMEM) && (!defined(__GNUC__) || __GNUC__ >= 2)
   raw_assert(nlen);
+  if (nlen > hlen)
+    return NULL;
   return memmem(_haystack, hlen, _needle, nlen);
 #else
   /* This isn't as fast as the GLIBC implementation, but it doesn't need to