From e18ce6c959a1135b3487ce0a63bea3e319b89a43 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Mon, 28 Apr 2025 15:05:24 -0400 Subject: [PATCH] test-runner: Fix potentially overflowing call to snprintf The return value of a call to snprintf is the number of characters that would have been written to the buffer assuming there was sufficient space. In the event that the operation reaches the end of the buffer and more than one character is discarded, the return value will be greater than the buffer size. Fixes: https://github.com/bluez/bluez/issues/1215 --- tools/test-runner.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tools/test-runner.c b/tools/test-runner.c index 1d770330c..7c9386d2c 100644 --- a/tools/test-runner.c +++ b/tools/test-runner.c @@ -261,7 +261,15 @@ static void start_qemu(void) for (i = 1; i < test_argc; i++) { int len = sizeof(testargs) - pos; - pos += snprintf(testargs + pos, len, " %s", test_argv[i]); + int n = snprintf(testargs + pos, len, " %s", test_argv[i]); + + if (n < 0 || n >= len) { + fprintf(stderr, "Buffer overflow detected in " + "testargs\n"); + exit(EXIT_FAILURE); + } + + pos += n; } snprintf(cmdline, sizeof(cmdline), -- 2.47.3