From 193911af760d460198fc7f08bf6da824f74975b7 Mon Sep 17 00:00:00 2001
From: Thomas Martitz <kugel@rockbox.org>
Date: Sun, 12 Jan 2014 17:31:53 +0100
Subject: put_line(): Fix buffer overflow.

At the end of the format string it wrote a last byte (or inline string) past
the end of the lcd boundaries, potentially overwriting unrelated memory. It
now makes sure it won't exceed the viewport's width.

Change-Id: Id4cfce918e8b070b7fc3c7d33f389f7a171963ff
---
 apps/gui/line.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/apps/gui/line.c b/apps/gui/line.c
index fd35102ab0..5e22d6da26 100644
--- a/apps/gui/line.c
+++ b/apps/gui/line.c
@@ -184,6 +184,7 @@ static void print_line(struct screen *display,
     enum themable_icons icon;
     char tempbuf[MAX_PATH+32];
     unsigned int tempbuf_idx;
+    int max_width = display->getwidth();
 
     height = line->height == -1 ? display->getcharheight() : line->height;
     icon_h = get_icon_height(display->screen_type);
@@ -195,7 +196,7 @@ static void print_line(struct screen *display,
     y += height/2 - display->getcharheight()/2;
 
     /* parse format string */
-    while (1)
+    while (xpos < max_width)
     {
         ch = *fmt++;
         /* need to check for escaped '$' */
@@ -280,8 +281,9 @@ next:
                 DEBUGF("%s ", ch ? "put_line: String truncated" : "");
             }
             if (!ch)
-            {   /* end of string. put it online */
-                put_text(display, xpos, y, line, tempbuf, false, 0);
+            {   /* end of format string. flush pending inline string, if any */
+                if (tempbuf[0])
+                    put_text(display, xpos, y, line, tempbuf, false, 0);
                 return;
             }
             else if (ch == '$')
-- 
cgit v1.2.3