From e145d51ba6d4a90ab86f7f22b1c75be4e62ba916 Mon Sep 17 00:00:00 2001
From: Wayne Davison <wayned@samba.org>
Date: Wed, 30 Mar 2005 23:39:00 +0000
Subject: [PATCH] Make sure that we can't scan past the end of the format
 string.

---
 log.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/log.c b/log.c
index c6d2fc81..87cd1d77 100644
--- a/log.c
+++ b/log.c
@@ -371,6 +371,8 @@ static void log_formatted(enum logcode code, char *format, char *op,
 			*n++ = *p++;
 		while (isdigit(*(uchar*)p) && n - fmt < (int)(sizeof fmt) - 8)
 			*n++ = *p++;
+		if (!*p)
+			break;
 		*n = '\0';
 		n = NULL;
 
@@ -497,9 +499,6 @@ static void log_formatted(enum logcode code, char *format, char *op,
 			break;
 		}
 
-		/* Subtract the length of the escape from the string's size. */
-		total -= p - s;
-
 		/* "n" is the string to be inserted in place of this % code. */
 		if (!n)
 			continue;
@@ -510,6 +509,9 @@ static void log_formatted(enum logcode code, char *format, char *op,
 		}
 		len = strlen(n);
 
+		/* Subtract the length of the escape from the string's size. */
+		total -= p - s;
+
 		if (len + total >= sizeof buf) {
 			rprintf(FERROR,
 				"buffer overflow expanding %%%c -- exiting\n",
-- 
2.34.1