From de6618a2713ef26f888762cbe6539cc65a393c7c Mon Sep 17 00:00:00 2001
From: William Wilgus <me.theuser@yahoo.com>
Date: Tue, 6 Nov 2018 12:33:38 -0500
Subject: Fix vuprintf fix possible %s buffer over-read

when precision is not specified memchr recieved -1 for count
count is unsigned so it looks in a potentially very large area
for a terminator and returns this whole area if \0 is not found

Instead we should use memchr when precision is specified
and if precision is not specified use strlen

Fixes 60+Mb Config.cfg files

Change-Id: Ic4d1439334588f999c9071235430c42df2af5cc4
---
 firmware/common/vuprintf.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/firmware/common/vuprintf.c b/firmware/common/vuprintf.c
index 152dc93299..7dd9449e56 100644
--- a/firmware/common/vuprintf.c
+++ b/firmware/common/vuprintf.c
@@ -473,15 +473,20 @@ static inline const char * format_s(const void *str,
         return NULL; /* wchar_t support for now */
     }
 
+    const char *s = str;
+    size_t len;
     /* string length may be specified by precision instead of \0-
        terminated; however, don't go past a \0 if one is there */
-    const char *s = str;
-    size_t len = precision >= 0 ? precision : -1;
-
-    const char *nil = memchr(s, '\0', len);
-    if (nil) {
-        len = nil - s;
-    }
+    if (precision >= 0) {
+        const char *nil = memchr(s, '\0', (size_t) precision);
+
+        if (nil != NULL && (nil - s) < precision)
+            len = nil - s;
+        else
+            len = precision;
+    } 
+    else
+        len = strlen(s);
 
     fmt_buf->length = len;
     return s;
-- 
cgit v1.2.3