Fix for buffer overrun crash at copying nmea string
Add zero clearing of allocated nmea buffer to ensure
the nmea string is null terminated.
Change-Id: Ie36010a7d3eca16dabb3067ae891a94e4b63b10c
CRs-Fixed: 2041933
diff --git a/core/SystemStatus.cpp b/core/SystemStatus.cpp
index 12f97dd..f4f07f2 100644
--- a/core/SystemStatus.cpp
+++ b/core/SystemStatus.cpp
@@ -1396,7 +1396,7 @@
}
char buf[SystemStatusNmeaBase::NMEA_MAXSIZE + 1] = { 0 };
- strlcpy(buf, data, (len < strlen(data))? len : strlen(data));
+ strlcpy(buf, data, sizeof(buf));
pthread_mutex_lock(&mMutexSystemStatus);
diff --git a/gnss/GnssAdapter.cpp b/gnss/GnssAdapter.cpp
index 9652656..fc7d55e 100644
--- a/gnss/GnssAdapter.cpp
+++ b/gnss/GnssAdapter.cpp
@@ -2002,9 +2002,9 @@
size_t length) :
LocMsg(),
mAdapter(adapter),
- mNmea(new char[length]),
+ mNmea(new char[length+1]),
mLength(length) {
- memcpy((void*)mNmea, (void*)nmea, length);
+ strlcpy((char*)mNmea, nmea, length+1);
}
inline virtual ~MsgReportNmea()
{
