Fix vuprintf fix possible %s buffer over-read

when precision is not specified memchr recieved -1 for count count is unsigned so it looks in a potentially very large area for a terminator and returns this whole area if \0 is not found Instead we should use memchr when precision is specified and if precision is not specified use strlen Fixes 60+Mb Config.cfg files Change-Id: Ic4d1439334588f999c9071235430c42df2af5cc4
2018-11-06 12:33:38 -05:00 · 2018-11-06 12:33:38 -05:00 · de6618a271
parent fa8760705c
commit de6618a271
1 changed files with 11 additions and 6 deletions
--- a/firmware/common/vuprintf.c
+++ b/firmware/common/vuprintf.c
@ -473,15 +473,20 @@ static inline const char * format_s(const void *str,
        return NULL; /* wchar_t support for now */
    }

+    const char *s = str;
+    size_t len;
    /* string length may be specified by precision instead of \0-
       terminated; however, don't go past a \0 if one is there */
-    const char *s = str;
-    size_t len = precision >= 0 ? precision : -1;
+    if (precision >= 0) {
+        const char *nil = memchr(s, '\0', (size_t) precision);

-    const char *nil = memchr(s, '\0', len);
-    if (nil) {
-        len = nil - s;
-    }
+        if (nil != NULL && (nil - s) < precision)
+            len = nil - s;
+        else
+            len = precision;
+    } 
+    else
+        len = strlen(s);

    fmt_buf->length = len;
    return s;