From 604d87414393cd07fb7341a8fdb4802b8de390be Mon Sep 17 00:00:00 2001
From: Katz Yamada <kyamada@codeaurora.org>
Date: Thu, 4 May 2017 14:43:52 -0700
Subject: [PATCH] Fix for buffer overrun crash at copying nmea string

Add zero clearing of allocated nmea buffer to ensure
the nmea string is null terminated.

Change-Id: Ie36010a7d3eca16dabb3067ae891a94e4b63b10c
CRs-Fixed: 2041933
---
 core/SystemStatus.cpp | 2 +-
 gnss/GnssAdapter.cpp  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/SystemStatus.cpp b/core/SystemStatus.cpp
index 12f97ddc..f4f07f27 100644
--- a/core/SystemStatus.cpp
+++ b/core/SystemStatus.cpp
@@ -1396,7 +1396,7 @@ bool SystemStatus::setNmeaString(const char *data, uint32_t len)
     }
 
     char buf[SystemStatusNmeaBase::NMEA_MAXSIZE + 1] = { 0 };
-    strlcpy(buf, data, (len < strlen(data))? len : strlen(data));
+    strlcpy(buf, data, sizeof(buf));
 
     pthread_mutex_lock(&mMutexSystemStatus);
 
diff --git a/gnss/GnssAdapter.cpp b/gnss/GnssAdapter.cpp
index 9652656f..fc7d55e5 100644
--- a/gnss/GnssAdapter.cpp
+++ b/gnss/GnssAdapter.cpp
@@ -2002,9 +2002,9 @@ GnssAdapter::reportNmeaEvent(const char* nmea, size_t length, bool fromUlp)
                              size_t length) :
             LocMsg(),
             mAdapter(adapter),
-            mNmea(new char[length]),
+            mNmea(new char[length+1]),
             mLength(length) {
-                memcpy((void*)mNmea, (void*)nmea, length);
+                strlcpy((char*)mNmea, nmea, length+1);
             }
         inline virtual ~MsgReportNmea()
         {