Format strings with length modifiers but missing format specifier like "%0" will one past the array size.
Signed-off-by: Peter Hutterer <[email protected]> --- Keith, probably one to add to 1.14, the current code reads past the format string. os/log.c | 3 +++ test/signal-logging.c | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/os/log.c b/os/log.c index af44c1f..2a6d122 100644 --- a/os/log.c +++ b/os/log.c @@ -304,6 +304,9 @@ pnprintf(char *string, size_t size, const char *f, va_list args) while (f_idx < f_len && ((f[f_idx] >= '0' && f[f_idx] <= '9') || f[f_idx] == '.')) f_idx++; + if (f_idx >= f_len) + break; + switch (f[f_idx]) { case 's': string_arg = va_arg(args, char*); diff --git a/test/signal-logging.c b/test/signal-logging.c index 1ef17af..1ddc267 100644 --- a/test/signal-logging.c +++ b/test/signal-logging.c @@ -199,6 +199,12 @@ static void logging_format(void) read_log_msg(logmsg); assert(strcmp(logmsg, "(EE) substituted string\n") == 0); + /* Invalid format */ +#warning Ignore compiler warning below "lacks type at end of format". This is intentional. + LogMessageVerbSigSafe(X_ERROR, -1, "%4\n", 4); + read_log_msg(logmsg); + assert(strcmp(logmsg, "(EE) %\n") == 0); + /* number substitution */ ui = 0; do { -- 1.8.1.2 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
