frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

os: fix pnprintf OOB buffer read for unterminated length modifiers 

Format strings with length modifiers but missing format specifier like "%0"
will read one byte past the array size.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This commit is contained in:
Peter Hutterer 2013-02-14 16:31:13 +10:00 committed by Keith Packard
parent 955d434f4d
commit 9a35d4240e
2 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
os/log.c
View File

@ -304,6 +304,9 @@ pnprintf(char *string, size_t size, const char *f, va_list args)
while (f_idx < f_len && ((f[f_idx] >= '0' && f[f_idx] <= '9') || f[f_idx] == '.')) while (f_idx < f_len && ((f[f_idx] >= '0' && f[f_idx] <= '9') || f[f_idx] == '.'))
f_idx++; f_idx++;
if (f_idx >= f_len)
break;
switch (f[f_idx]) { switch (f[f_idx]) {
case 's': case 's':
string_arg = va_arg(args, char*); string_arg = va_arg(args, char*);

8
test/signal-logging.c
View File

@ -199,6 +199,14 @@ static void logging_format(void)
read_log_msg(logmsg); read_log_msg(logmsg);
assert(strcmp(logmsg, "(EE) substituted string\n") == 0); assert(strcmp(logmsg, "(EE) substituted string\n") == 0);
/* Invalid format */
#warning Ignore compiler warning below "lacks type at end of format". This is intentional.
LogMessageVerbSigSafe(X_ERROR, -1, "%4", 4);
read_log_msg(logmsg);
assert(strcmp(logmsg, "(EE) ") == 0);
LogMessageVerbSigSafe(X_ERROR, -1, "\n");
fseek(f, 0, SEEK_END);
/* number substitution */ /* number substitution */
ui = 0; ui = 0;
do { do {