Commit 9a35d424 authored by Peter Hutterer's avatar Peter Hutterer Committed by Keith Packard
Browse files

os: fix pnprintf OOB buffer read for unterminated length modifiers



Format strings with length modifiers but missing format specifier like "%0"
will read one byte past the array size.
Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard's avatarKeith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard's avatarKeith Packard <keithp@keithp.com>
parent 955d434f
......@@ -304,6 +304,9 @@ pnprintf(char *string, size_t size, const char *f, va_list args)
while (f_idx < f_len && ((f[f_idx] >= '0' && f[f_idx] <= '9') || f[f_idx] == '.'))
f_idx++;
if (f_idx >= f_len)
break;
switch (f[f_idx]) {
case 's':
string_arg = va_arg(args, char*);
......
......@@ -199,6 +199,14 @@ static void logging_format(void)
read_log_msg(logmsg);
assert(strcmp(logmsg, "(EE) substituted string\n") == 0);
/* Invalid format */
#warning Ignore compiler warning below "lacks type at end of format". This is intentional.
LogMessageVerbSigSafe(X_ERROR, -1, "%4", 4);
read_log_msg(logmsg);
assert(strcmp(logmsg, "(EE) ") == 0);
LogMessageVerbSigSafe(X_ERROR, -1, "\n");
fseek(f, 0, SEEK_END);
/* number substitution */
ui = 0;
do {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment