MiPad4/android_device_xiaomi_sdm660-common
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix for buffer overrun crash at copying nmea string

Browse source 
Add zero clearing of allocated nmea buffer to ensure
the nmea string is null terminated.

Change-Id: Ie36010a7d3eca16dabb3067ae891a94e4b63b10c
CRs-Fixed: 2041933
This commit is contained in:
Katz Yamada 2017-05-04 14:43:52 -07:00
parent 10ab9ccaaf
commit 604d874143
2 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
core/SystemStatus.cpp
View file

@ -1396,7 +1396,7 @@ bool SystemStatus::setNmeaString(const char *data, uint32_t len)
} }
char buf[SystemStatusNmeaBase::NMEA_MAXSIZE + 1] = { 0 }; char buf[SystemStatusNmeaBase::NMEA_MAXSIZE + 1] = { 0 };
strlcpy(buf, data, (len < strlen(data))? len : strlen(data)); strlcpy(buf, data, sizeof(buf));
pthread_mutex_lock(&mMutexSystemStatus); pthread_mutex_lock(&mMutexSystemStatus);

4
gnss/GnssAdapter.cpp
View file

@ -2002,9 +2002,9 @@ GnssAdapter::reportNmeaEvent(const char* nmea, size_t length, bool fromUlp)
size_t length) : size_t length) :
LocMsg(), LocMsg(),
mAdapter(adapter), mAdapter(adapter),
mNmea(new char[length]), mNmea(new char[length+1]),
mLength(length) { mLength(length) {
memcpy((void*)mNmea, (void*)nmea, length); strlcpy((char*)mNmea, nmea, length+1);
} }
inline virtual ~MsgReportNmea() inline virtual ~MsgReportNmea()
{ {