os: fix pnprintf OOB buffer read for unterminated length modifiers

author Peter Hutterer <peter.hutterer@who-t.net>

Thu, 14 Feb 2013 06:31:13 +0000 (16:31 +1000)

committer Keith Packard <keithp@keithp.com>

Thu, 14 Feb 2013 19:01:21 +0000 (11:01 -0800)
author Peter Hutterer <peter.hutterer@who-t.net>
Thu, 14 Feb 2013 06:31:13 +0000 (16:31 +1000)
committer Keith Packard <keithp@keithp.com>
Thu, 14 Feb 2013 19:01:21 +0000 (11:01 -0800)
diff --git a/os/log.c b/os/log.c

index 2697ace..95bd8cc 100644 (file)
--- a/os/log.c
+++ b/os/log.c
@@ -304,6 +304,9 @@ pnprintf(char *string, size_t size, const char *f, va_list args)
          while (f_idx < f_len && ((f[f_idx] >= '0' && f[f_idx] <= '9') || f[f_idx] == '.'))
              f_idx++;
  
+        if (f_idx >= f_len)
+            break;
+
          switch (f[f_idx]) {
          case 's':
              string_arg = va_arg(args, char*);
diff --git a/test/signal-logging.c b/test/signal-logging.c

index 1ef17af..e0eb810 100644 (file)
--- a/test/signal-logging.c
+++ b/test/signal-logging.c
@@ -199,6 +199,14 @@ static void logging_format(void)
      read_log_msg(logmsg);
      assert(strcmp(logmsg, "(EE) substituted string\n") == 0);
  
+    /* Invalid format */
+#warning Ignore compiler warning below "lacks type at end of format".  This is intentional.
+    LogMessageVerbSigSafe(X_ERROR, -1, "%4", 4);
+    read_log_msg(logmsg);
+    assert(strcmp(logmsg, "(EE) ") == 0);
+    LogMessageVerbSigSafe(X_ERROR, -1, "\n");
+    fseek(f, 0, SEEK_END);
+
      /* number substitution */
      ui = 0;
      do {
author	Peter Hutterer <peter.hutterer@who-t.net>
	Thu, 14 Feb 2013 06:31:13 +0000 (16:31 +1000)
committer	Keith Packard <keithp@keithp.com>
	Thu, 14 Feb 2013 19:01:21 +0000 (11:01 -0800)
os/log.c		patch \| blob \| history
test/signal-logging.c		patch \| blob \| history