A buffer in function test_flink_name was both too small and never checked for overflow. Both errors are fixed.
Signed-off-by: Steve Hampson <[email protected]> Reviewed-by: Ashutosh Dixit <[email protected]> --- tests/i915/gem_flink_race.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tests/i915/gem_flink_race.c b/tests/i915/gem_flink_race.c index c1f5d5d51..cf07aedf1 100644 --- a/tests/i915/gem_flink_race.c +++ b/tests/i915/gem_flink_race.c @@ -83,7 +83,7 @@ static void test_flink_name(int timeout) struct flink_name *threads; int r, i, num_threads; unsigned long count; - char buf[256]; + char buf[512]; void *status; int len; @@ -118,9 +118,13 @@ static void test_flink_name(int timeout) for (i = 0; i < num_threads; i++) { pthread_join(threads[i].thread, &status); igt_assert(status == 0); - len += snprintf(buf + len, sizeof(buf) - len, "%lu, ", threads[i].count); + /* Below, constant 11 is 8 digit number, comma, space and null byte */ + if ((len + 11 + 1) < sizeof(buf)) + len += snprintf(buf + len, sizeof(buf) - len, "%8lu, ", threads[i].count); } - snprintf(buf + len - 2, sizeof(buf) - len + 2, "] races"); + /* Below, constant 9 is 7 bytes for terminating string plus \n and null byte */ + if (len + 9 < sizeof(buf)) + snprintf(buf + len - 2, sizeof(buf) - len + 2, "] races"); igt_info("%s\n", buf); close(fd); -- 2.21.0 _______________________________________________ Intel-gfx mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/intel-gfx
