From: Wayne Davison <wayned@samba.org>
Date: Wed, 30 Mar 2005 23:39:00 +0000 (+0000)
Subject: Make sure that we can't scan past the end of the format string.
X-Git-Tag: v2.6.4~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e145d51ba6d4a90ab86f7f22b1c75be4e62ba916;p=thirdparty%2Frsync.git

Make sure that we can't scan past the end of the format string.
---

diff --git a/log.c b/log.c
index c6d2fc81..87cd1d77 100644
--- a/log.c
+++ b/log.c
@@ -371,6 +371,8 @@ static void log_formatted(enum logcode code, char *format, char *op,
 			*n++ = *p++;
 		while (isdigit(*(uchar*)p) && n - fmt < (int)(sizeof fmt) - 8)
 			*n++ = *p++;
+		if (!*p)
+			break;
 		*n = '\0';
 		n = NULL;
 
@@ -497,9 +499,6 @@ static void log_formatted(enum logcode code, char *format, char *op,
 			break;
 		}
 
-		/* Subtract the length of the escape from the string's size. */
-		total -= p - s;
-
 		/* "n" is the string to be inserted in place of this % code. */
 		if (!n)
 			continue;
@@ -510,6 +509,9 @@ static void log_formatted(enum logcode code, char *format, char *op,
 		}
 		len = strlen(n);
 
+		/* Subtract the length of the escape from the string's size. */
+		total -= p - s;
+
 		if (len + total >= sizeof buf) {
 			rprintf(FERROR,
 				"buffer overflow expanding %%%c -- exiting\n",