Fix potential buffer overrun.
BUG=27840771
Rationale:
Fixed buffer overrun by recomputing available remaining space at each
point. Note, we could use strlcat for exactly this situation, using the
full buffer length, but since buffer length - 1 was used in other places,
got the code closest to the original.
Change-Id: Id38ba34949b7e25ae8acadce1c24e080aebf06ae
diff --git a/libdex/OptInvocation.cpp b/libdex/OptInvocation.cpp
index be7f70b..bfad44b 100644
--- a/libdex/OptInvocation.cpp
+++ b/libdex/OptInvocation.cpp
@@ -87,9 +87,9 @@
ALOGE("Can't get CWD while opening jar file");
return NULL;
}
- strncat(absoluteFile, "/", kBufLen);
+ strncat(absoluteFile, "/", kBufLen - strlen(absoluteFile));
}
- strncat(absoluteFile, fileName, kBufLen);
+ strncat(absoluteFile, fileName, kBufLen - strlen(absoluteFile));
/*
* Append the name of the Jar file entry, if any. This is not currently
@@ -97,8 +97,8 @@
* in a Jar.
*/
if (subFileName != NULL) {
- strncat(absoluteFile, "/", kBufLen);
- strncat(absoluteFile, subFileName, kBufLen);
+ strncat(absoluteFile, "/", kBufLen - strlen(absoluteFile));
+ strncat(absoluteFile, subFileName, kBufLen - strlen(absoluteFile));
}
/* Turn the path into a flat filename by replacing
@@ -136,7 +136,7 @@
/* Tack on the file name for the actual cache file path.
*/
- strncat(nameBuf, absoluteFile, kBufLen);
+ strncat(nameBuf, absoluteFile, kBufLen - strlen(nameBuf));
ALOGV("Cache file for '%s' '%s' is '%s'", fileName, subFileName, nameBuf);
return strdup(nameBuf);