From fe58f1fcb4f7129f82dd7852f9605107ce2d88bf Mon Sep 17 00:00:00 2001
From: Radoslaw Jablonski <radoslawjablonski@gmail.com>
Date: Wed, 27 Jul 2011 09:39:48 +0200
Subject: [PATCH] obexd: Fix writing out of bounds in add_slash func

For long input string there was possibility to write out
of "dest" buffer. It usually ended with obexd crash little
later in some random place.
---
 obexd/plugins/vcard.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/obexd/plugins/vcard.c b/obexd/plugins/vcard.c
index 2c1326652..30841b7ba 100644
--- a/obexd/plugins/vcard.c
+++ b/obexd/plugins/vcard.c
@@ -101,25 +101,41 @@ static void add_slash(char *dest, const char *src, int len_max, int len)
 {
 	int i, j;
 
-	for (i = 0, j = 0; i < len && j < len_max; i++, j++) {
+	for (i = 0, j = 0; i < len && j + 1 < len_max; i++, j++) {
+		/* filling dest buffer - last field need to be reserved
+		 * for '\0'*/
 		switch (src[i]) {
 		case '\n':
+			if (j + 2 >= len_max)
+				/* not enough space in the buffer to put char
+				 * preceded with escaping sequence (and '\0' in
+				 * the end) */
+				goto done;
+
 			dest[j++] = '\\';
 			dest[j] = 'n';
 			break;
 		case '\r':
+			if (j + 2 >= len_max)
+				goto done;
+
 			dest[j++] = '\\';
 			dest[j] = 'r';
 			break;
 		case '\\':
 		case ';':
 		case ',':
+			if (j + 2 >= len_max)
+				goto done;
+
 			dest[j++] = '\\';
 		default:
 			dest[j] = src[i];
 			break;
 		}
 	}
+
+done:
 	dest[j] = 0;
 }
 
-- 
2.47.3