From d77e8c02691fa3100f5015961568d9a527f25e95 Mon Sep 17 00:00:00 2001
From: Kostya Serebryany <kcc@google.com>
Date: Fri, 9 Sep 2016 02:13:27 +0000
Subject: [PATCH] [sanitizer] fix a potential buffer overflow due to
 __sanitizer_symbolize_pc (need to put a zero after strncmp). LOL

llvm-svn: 281015
---
 .../lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc       |  3 +++
 compiler-rt/test/sanitizer_common/TestCases/symbolize_pc.cc    | 10 +++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc b/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc
index 1d5af73..522fbeb 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc
@@ -88,11 +88,13 @@ extern "C" {
 SANITIZER_INTERFACE_ATTRIBUTE
 void __sanitizer_symbolize_pc(uptr pc, const char *fmt, char *out_buf,
                               uptr out_buf_size) {
+  if (!out_buf_size) return;
   using namespace __sanitizer;
   pc = StackTrace::GetPreviousInstructionPc(pc);
   SymbolizedStack *frame = Symbolizer::GetOrInit()->SymbolizePC(pc);
   if (!frame) {
     internal_strncpy(out_buf, "<can't symbolize>", out_buf_size);
+    out_buf[out_buf_size - 1] = 0;
     return;
   }
   InternalScopedString frame_desc(GetPageSizeCached());
@@ -100,5 +102,6 @@ void __sanitizer_symbolize_pc(uptr pc, const char *fmt, char *out_buf,
               common_flags()->symbolize_vs_style,
               common_flags()->strip_path_prefix);
   internal_strncpy(out_buf, frame_desc.data(), out_buf_size);
+  out_buf[out_buf_size - 1] = 0;
 }
 }  // extern "C"
diff --git a/compiler-rt/test/sanitizer_common/TestCases/symbolize_pc.cc b/compiler-rt/test/sanitizer_common/TestCases/symbolize_pc.cc
index deb5b0c..11679d7 100644
--- a/compiler-rt/test/sanitizer_common/TestCases/symbolize_pc.cc
+++ b/compiler-rt/test/sanitizer_common/TestCases/symbolize_pc.cc
@@ -6,13 +6,21 @@
 #include <stdio.h>
 #include <sanitizer/common_interface_defs.h>
 void SymbolizeCaller() {
-  char data[1000];
+  char data[100];
   __sanitizer_symbolize_pc(__builtin_return_address(0), "%p %F %L", data,
                            sizeof(data));
   printf("FIRST_FORMAT %s\n", data);
   __sanitizer_symbolize_pc(__builtin_return_address(0),
                            "FUNC:%f LINE:%l FILE:%s", data, sizeof(data));
   printf("SECOND_FORMAT %s\n", data);
+  __sanitizer_symbolize_pc(__builtin_return_address(0),
+                          "LOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"
+                          "OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"
+                          "OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"
+                          "OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"
+                          "OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOONG"
+                          "FUNC:%f LINE:%l FILE:%s", data, sizeof(data));
+  printf("LONG_FORMAT %s\n", data);
 }
 
 // CHECK: FIRST_FORMAT 0x{{.*}} in main symbolize_pc.cc:[[@LINE+3]]
-- 
2.7.4