From b03fd30825661494cb69b57e2b5ff53fa036edba Mon Sep 17 00:00:00 2001
From: Vyacheslav Cherkashin <v.cherkashin@samsung.com>
Date: Thu, 26 Apr 2018 19:51:51 +0300
Subject: [PATCH] Fix buffer overflow

Change-Id: I8b7805e8c9cc18498ab3f49faacb538ca4723a7a
Signed-off-by: Vyacheslav Cherkashin <v.cherkashin@samsung.com>
---
 probe_graphics/da_gles20.inc | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/probe_graphics/da_gles20.inc b/probe_graphics/da_gles20.inc
index b7154ea..0294a3d 100644
--- a/probe_graphics/da_gles20.inc
+++ b/probe_graphics/da_gles20.inc
@@ -38,25 +38,27 @@ static __thread int is_gl_error_external = 1;
 
 static void __ui_array_to_str(char *to, GLuint *arr, int count, size_t bufsize)
 {
-	int i = 0, len = 0;
+	int i = 0;
 	char *start = to;
 
 	for (i = 0; i < count; i++) {
-		/* GLuint - 32 bit integer. Max value is 2147483647. So, for one
-		 * number we need 10 chars for numbers at max, 1 for comma,
-		 * 1 for space */
-		if (bufsize < 12) {
-			PRINTERR("too small buffer.");
-			break;
-		}
+		int len;
 
 		len = snprintf(to, bufsize,"%u, ", *arr++);
+		if (len < 0) {
+			PRINTERR("output error, ret=%d", len);
+			break;
+		} else if (len >= bufsize) {
+			PRINTERR("too small buffer, len=%d", len);
+			break;
+		}
 
 		to += len;
 		bufsize -= len;
 	}
 
-	if (count != 0 && to > (start + 2)) {
+	if (to > (start + 2)) {
+		/* remove tail ", " */
 		to -= 2;
 		*to = '\0';
 	} else {
-- 
2.7.4