Skip to content

L
liblongpath-rsync
Commit e145d51b authored by Wayne Davison's avatar Wayne Davison
Browse files
Options

Make sure that we can't scan past the end of the format string.

parent dcbae654
Hide whitespace changes
Inline Side-by-side
Showing with 5 additions and 3 deletions
log.c
View file @ e145d51b
...@@ -371,6 +371,8 @@ static void log_formatted(enum logcode code, char *format, char *op, ...@@ -371,6 +371,8 @@ static void log_formatted(enum logcode code, char *format, char *op,
*n++ = *p++; *n++ = *p++;
while (isdigit(*(uchar*)p) && n - fmt < (int)(sizeof fmt) - 8) while (isdigit(*(uchar*)p) && n - fmt < (int)(sizeof fmt) - 8)
*n++ = *p++; *n++ = *p++;
if (!*p)
break;
*n = '\0'; *n = '\0';
n = NULL; n = NULL;
...@@ -497,9 +499,6 @@ static void log_formatted(enum logcode code, char *format, char *op, ...@@ -497,9 +499,6 @@ static void log_formatted(enum logcode code, char *format, char *op,
break; break;
} }
/* Subtract the length of the escape from the string's size. */
total -= p - s;
/* "n" is the string to be inserted in place of this % code. */ /* "n" is the string to be inserted in place of this % code. */
if (!n) if (!n)
continue; continue;
...@@ -510,6 +509,9 @@ static void log_formatted(enum logcode code, char *format, char *op, ...@@ -510,6 +509,9 @@ static void log_formatted(enum logcode code, char *format, char *op,
} }
len = strlen(n); len = strlen(n);
/* Subtract the length of the escape from the string's size. */
total -= p - s;
if (len + total >= sizeof buf) { if (len + total >= sizeof buf) {
rprintf(FERROR, rprintf(FERROR,
"buffer overflow expanding %%%c -- exiting\n", "buffer overflow expanding %%%c -- exiting\n",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment