Format strings with length modifiers but missing format specifier like "%0"
will read one byte past the array size.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
while (f_idx < f_len && ((f[f_idx] >= '0' && f[f_idx] <= '9') || f[f_idx] == '.'))
f_idx++;
+ if (f_idx >= f_len)
+ break;
+
switch (f[f_idx]) {
case 's':
string_arg = va_arg(args, char*);
read_log_msg(logmsg);
assert(strcmp(logmsg, "(EE) substituted string\n") == 0);
+ /* Invalid format */
+#warning Ignore compiler warning below "lacks type at end of format". This is intentional.
+ LogMessageVerbSigSafe(X_ERROR, -1, "%4", 4);
+ read_log_msg(logmsg);
+ assert(strcmp(logmsg, "(EE) ") == 0);
+ LogMessageVerbSigSafe(X_ERROR, -1, "\n");
+ fseek(f, 0, SEEK_END);
+
/* number substitution */
ui = 0;
do {