[PATCH] os: fix pnprintf OOB buffer read for unterminated length modifiers
Peter Hutterer
peter.hutterer at who-t.net
Wed Feb 13 21:40:34 PST 2013
Format strings with length modifiers but missing format specifier like "%0"
will one past the array size.
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
---
Keith, probably one to add to 1.14, the current code reads past the format
string.
os/log.c | 3 +++
test/signal-logging.c | 6 ++++++
2 files changed, 9 insertions(+)
diff --git a/os/log.c b/os/log.c
index af44c1f..2a6d122 100644
--- a/os/log.c
+++ b/os/log.c
@@ -304,6 +304,9 @@ pnprintf(char *string, size_t size, const char *f, va_list args)
while (f_idx < f_len && ((f[f_idx] >= '0' && f[f_idx] <= '9') || f[f_idx] == '.'))
f_idx++;
+ if (f_idx >= f_len)
+ break;
+
switch (f[f_idx]) {
case 's':
string_arg = va_arg(args, char*);
diff --git a/test/signal-logging.c b/test/signal-logging.c
index 1ef17af..1ddc267 100644
--- a/test/signal-logging.c
+++ b/test/signal-logging.c
@@ -199,6 +199,12 @@ static void logging_format(void)
read_log_msg(logmsg);
assert(strcmp(logmsg, "(EE) substituted string\n") == 0);
+ /* Invalid format */
+#warning Ignore compiler warning below "lacks type at end of format". This is intentional.
+ LogMessageVerbSigSafe(X_ERROR, -1, "%4\n", 4);
+ read_log_msg(logmsg);
+ assert(strcmp(logmsg, "(EE) %\n") == 0);
+
/* number substitution */
ui = 0;
do {
--
1.8.1.2
More information about the xorg-devel
mailing list