Fix integer overflow in TLVReader::GetString bounds check (project-chip#71934)

* Fix integer overflow in TLVReader::GetString bounds check

The bounds check `(mElemLenOrVal + 1) > bufSize` can wrap to 0 when
mElemLenOrVal is large (e.g., UINT32_MAX on 32-bit targets), bypassing
the buffer size validation and causing an out-of-bounds write of the
null terminator.

Replace with `mElemLenOrVal >= bufSize` which is overflow-safe and
semantically equivalent. Also pass the actual element length to GetBytes
instead of bufSize-1.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add larger-buffer test case for GetString per review feedback

Verifies that GetString with a buffer larger than the string content
succeeds correctly, confirming that GetBytes is called with the actual
element length rather than bufSize-1.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Retrigger CI (REPL timeout)

* Retrigger CI (nRF/REPL flake)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Andrei Litvin <andy314@gmail.com>

Author: 3 people

src/lib/core/TLVReader.cpp

@@ -441,12 +441,12 @@ CHIP_ERROR TLVReader::GetString(char * buf, size_t bufSize)
     if (!TLVTypeIsString(ElementType()))
         return CHIP_ERROR_WRONG_TLV_TYPE;
 
-    if ((mElemLenOrVal + 1) > bufSize)
+    if (mElemLenOrVal >= bufSize)
         return CHIP_ERROR_BUFFER_TOO_SMALL;
 
     buf[mElemLenOrVal] = 0;
 
-    return GetBytes(reinterpret_cast<uint8_t *>(buf), bufSize - 1);
+    return GetBytes(reinterpret_cast<uint8_t *>(buf), static_cast<uint32_t>(mElemLenOrVal));
 }
 
 CHIP_ERROR TLVReader::DupBytes(uint8_t *& buf, uint32_t & dataLen)

src/lib/core/tests/TestTLV.cpp

@@ -4946,3 +4946,66 @@ TEST_F(TestTLV, TestUninitializedWriter)
         EXPECT_EQ(writer.CopyContainer(ContextTag(1), buf, static_cast<uint16_t>(sizeof(buf))), CHIP_ERROR_INCORRECT_STATE);
     }
 }
+
+TEST_F(TestTLV, CheckGetStringBoundsCheck)
+{
+    // Write a short UTF8 string "Hi" into TLV
+    uint8_t backingStore[32];
+    TLVWriter writer;
+    writer.Init(backingStore, sizeof(backingStore));
+
+    CHIP_ERROR err = writer.PutString(AnonymousTag(), "Hi");
+    EXPECT_EQ(err, CHIP_NO_ERROR);
+    err = writer.Finalize();
+    EXPECT_EQ(err, CHIP_NO_ERROR);
+
+    // Reading with exact-fit buffer (3 bytes: 'H', 'i', '\0') should succeed
+    {
+        TLVReader reader;
+        reader.Init(backingStore, writer.GetLengthWritten());
+        err = reader.Next();
+        EXPECT_EQ(err, CHIP_NO_ERROR);
+
+        char buf[3];
+        err = reader.GetString(buf, sizeof(buf));
+        EXPECT_EQ(err, CHIP_NO_ERROR);
+        EXPECT_STREQ(buf, "Hi");
+    }
+
+    // Reading with buffer larger than needed should succeed
+    {
+        TLVReader reader;
+        reader.Init(backingStore, writer.GetLengthWritten());
+        err = reader.Next();
+        EXPECT_EQ(err, CHIP_NO_ERROR);
+
+        char buf[10];
+        err = reader.GetString(buf, sizeof(buf));
+        EXPECT_EQ(err, CHIP_NO_ERROR);
+        EXPECT_STREQ(buf, "Hi");
+    }
+
+    // Reading with buffer too small by 1 byte should fail
+    {
+        TLVReader reader;
+        reader.Init(backingStore, writer.GetLengthWritten());
+        err = reader.Next();
+        EXPECT_EQ(err, CHIP_NO_ERROR);
+
+        char buf[2];
+        err = reader.GetString(buf, sizeof(buf));
+        EXPECT_EQ(err, CHIP_ERROR_BUFFER_TOO_SMALL);
+    }
+
+    // Reading with bufSize=0 should fail
+    {
+        TLVReader reader;
+        reader.Init(backingStore, writer.GetLengthWritten());
+        err = reader.Next();
+        EXPECT_EQ(err, CHIP_NO_ERROR);
+
+        char buf[1];
+        err = reader.GetString(buf, 0);
+        EXPECT_EQ(err, CHIP_ERROR_BUFFER_TOO_SMALL);
+    }
+}