os: fix pnprintf OOB buffer read for unterminated length modifiers

Format strings with length modifiers but missing format specifier like "%0"
will read one byte past the array size.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>

2 files changed, 11 insertions, 0 deletions

diff --git a/os/log.c b/os/log.c
index 2697acec8..95bd8cca9 100644
--- a/os/log.c
+++ b/os/log.c
@@ -304,6 +304,9 @@ pnprintf(char *string, size_t size, const char *f, va_list args)
         while (f_idx < f_len && ((f[f_idx] >= '0' && f[f_idx] <= '9') || f[f_idx] == '.'))
             f_idx++;
 
+        if (f_idx >= f_len)
+            break;
+
         switch (f[f_idx]) {
         case 's':
             string_arg = va_arg(args, char*);
diff --git a/test/signal-logging.c b/test/signal-logging.c
index 1ef17af2c..e0eb81006 100644
--- a/test/signal-logging.c
+++ b/test/signal-logging.c
@@ -199,6 +199,14 @@ static void logging_format(void)
     read_log_msg(logmsg);
     assert(strcmp(logmsg, "(EE) substituted string\n") == 0);
 
+    /* Invalid format */
+#warning Ignore compiler warning below "lacks type at end of format".  This is intentional.
+    LogMessageVerbSigSafe(X_ERROR, -1, "%4", 4);
+    read_log_msg(logmsg);
+    assert(strcmp(logmsg, "(EE) ") == 0);
+    LogMessageVerbSigSafe(X_ERROR, -1, "\n");
+    fseek(f, 0, SEEK_END);
+
     /* number substitution */
     ui = 0;
     do {