Make sure that we can't scan past the end of the format string.

author Wayne Davison <wayned@samba.org>

Wed, 30 Mar 2005 23:39:00 +0000 (23:39 +0000)

committer Wayne Davison <wayned@samba.org>

Wed, 30 Mar 2005 23:39:00 +0000 (23:39 +0000)
author Wayne Davison <wayned@samba.org>
Wed, 30 Mar 2005 23:39:00 +0000 (23:39 +0000)
committer Wayne Davison <wayned@samba.org>
Wed, 30 Mar 2005 23:39:00 +0000 (23:39 +0000)
diff --git a/log.c b/log.c

index c6d2fc8..87cd1d7 100644 (file)
--- a/log.c
+++ b/log.c
@@ -371,6 +371,8 @@ static void log_formatted(enum logcode code, char *format, char *op,
                         *n++ = *p++;
                 while (isdigit(*(uchar*)p) && n - fmt < (int)(sizeof fmt) - 8)
                         *n++ = *p++;
+               if (!*p)
+                       break;
                 *n = '\0';
                 n = NULL;
  
@@ -497,9 +499,6 @@ static void log_formatted(enum logcode code, char *format, char *op,
                         break;
                 }
  
-               /* Subtract the length of the escape from the string's size. */
-               total -= p - s;
-
                 /* "n" is the string to be inserted in place of this % code. */
                 if (!n)
                         continue;
@@ -510,6 +509,9 @@ static void log_formatted(enum logcode code, char *format, char *op,
                 }
                 len = strlen(n);
  
+               /* Subtract the length of the escape from the string's size. */
+               total -= p - s;
+
                 if (len + total >= sizeof buf) {
                         rprintf(FERROR,
                                 "buffer overflow expanding %%%c -- exiting\n",
author	Wayne Davison <wayned@samba.org>
	Wed, 30 Mar 2005 23:39:00 +0000 (23:39 +0000)
committer	Wayne Davison <wayned@samba.org>
	Wed, 30 Mar 2005 23:39:00 +0000 (23:39 +0000)