Format strings with length modifiers but missing format specifier like "%0" will one past the array size.
Signed-off-by: Peter Hutterer <[email protected]> --- sorry, had a messy tree here and the test got affected. This one will actually trigger the condition, the \n at the end in the first patch will be interpreted as directive otherwise. os/log.c | 3 +++ test/signal-logging.c | 8 ++++++++ 2 files changed, 11 insertions(+) diff --git a/os/log.c b/os/log.c index 2697ace..95bd8cc 100644 --- a/os/log.c +++ b/os/log.c @@ -304,6 +304,9 @@ pnprintf(char *string, size_t size, const char *f, va_list args) while (f_idx < f_len && ((f[f_idx] >= '0' && f[f_idx] <= '9') || f[f_idx] == '.')) f_idx++; + if (f_idx >= f_len) + break; + switch (f[f_idx]) { case 's': string_arg = va_arg(args, char*); diff --git a/test/signal-logging.c b/test/signal-logging.c index 1ef17af..e0eb810 100644 --- a/test/signal-logging.c +++ b/test/signal-logging.c @@ -199,6 +199,14 @@ static void logging_format(void) read_log_msg(logmsg); assert(strcmp(logmsg, "(EE) substituted string\n") == 0); + /* Invalid format */ +#warning Ignore compiler warning below "lacks type at end of format". This is intentional. + LogMessageVerbSigSafe(X_ERROR, -1, "%4", 4); + read_log_msg(logmsg); + assert(strcmp(logmsg, "(EE) ") == 0); + LogMessageVerbSigSafe(X_ERROR, -1, "\n"); + fseek(f, 0, SEEK_END); + /* number substitution */ ui = 0; do { -- 1.8.1.2 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
