From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Sat, 16 Sep 2017 06:38:28 +0000 (+0200)
Subject: udev: fix buffer overflow in udev_event_apply_format()
X-Git-Tag: v235~91^2~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=79a695f24fd19c35a4fe214c42073725dbff1473;p=platform%2Fupstream%2Fsystemd.git

udev: fix buffer overflow in udev_event_apply_format()

Fixes #6664.
---

diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c
index 601f0ee..09f7baf 100644
--- a/src/udev/udev-event.c
+++ b/src/udev/udev-event.c
@@ -362,7 +362,7 @@ size_t udev_event_apply_format(struct udev_event *event,
                         }
 copy:
                         /* copy char */
-                        if (l == 0)
+                        if (l < 2) /* need space for this char and the terminating NUL */
                                 goto out;
                         s[0] = from[0];
                         from++;
@@ -377,12 +377,12 @@ subst:
                         unsigned int i;
 
                         from++;
-                        for (i = 0; from[i] != '}'; i++) {
+                        for (i = 0; from[i] != '}'; i++)
                                 if (from[i] == '\0') {
                                         log_error("missing closing brace for format '%s'", src);
                                         goto out;
                                 }
-                        }
+
                         if (i >= sizeof(attrbuf))
                                 goto out;
                         memcpy(attrbuf, from, i);
@@ -407,6 +407,7 @@ subst:
         }
 
 out:
+        assert(l >= 1);
         s[0] = '\0';
         return l;
 }