diff options
| author | Keith Preston <keithpre@gmail.com> | 2010-02-11 15:12:53 -0600 |
|---|---|---|
| committer | preston <keithpre@gmail.com> | 2010-02-18 15:33:28 -0600 |
| commit | b45b5c9f227473050ef785d11e518e947c8754fb (patch) | |
| tree | e3e38a26867d940a092bca2e65626906ff814b77 /liblog | |
| parent | 91a54c11cbfbe3adc1df2f523c75ad76affb0ae9 (diff) | |
| download | core-b45b5c9f227473050ef785d11e518e947c8754fb.tar.gz core-b45b5c9f227473050ef785d11e518e947c8754fb.tar.bz2 core-b45b5c9f227473050ef785d11e518e947c8754fb.zip | |
Fix Heap Corruption from too long of a TAG
snprintf has a weird return value. It returns what would have been written given a large enough buffer.
In the case that the prefix is longer then our buffer(128), it messes up the calculations below possibly causing heap corruption.
To avoid this we double check and set the length at the maximum (size minus null byte
Diffstat (limited to 'liblog')
| -rw-r--r-- | liblog/logprint.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/liblog/logprint.c b/liblog/logprint.c index 080f9e364..acfa9f4c4 100644 --- a/liblog/logprint.c +++ b/liblog/logprint.c @@ -753,6 +753,16 @@ char *android_log_formatLogLine ( suffixLen = 1; break; } + /* snprintf has a weird return value. It returns what would have been + * written given a large enough buffer. In the case that the prefix is + * longer then our buffer(128), it messes up the calculations below + * possibly causing heap corruption. To avoid this we double check and + * set the length at the maximum (size minus null byte) + */ + if(prefixLen >= sizeof(prefixBuf)) + prefixLen = sizeof(prefixBuf) - 1; + if(suffixLen >= sizeof(suffixBuf)) + suffixLen = sizeof(suffixBuf) - 1; /* the following code is tragically unreadable */ |