From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> The return value of a call to snprintf is the number of characters that would have been written to the buffer assuming there was sufficient space. In the event that the operation reaches the end of the buffer and more than one character is discarded, the return value will be greater than the buffer size. Fixes: https://github.com/bluez/bluez/issues/1215 --- tools/test-runner.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tools/test-runner.c b/tools/test-runner.c index 1d770330ceaa..7c9386d2c3d3 100644 --- a/tools/test-runner.c +++ b/tools/test-runner.c @@ -261,7 +261,15 @@ static void start_qemu(void) for (i = 1; i < test_argc; i++) { int len = sizeof(testargs) - pos; - pos += snprintf(testargs + pos, len, " %s", test_argv[i]); + int n = snprintf(testargs + pos, len, " %s", test_argv[i]); + + if (n < 0 || n >= len) { + fprintf(stderr, "Buffer overflow detected in " + "testargs\n"); + exit(EXIT_FAILURE); + } + + pos += n; } snprintf(cmdline, sizeof(cmdline), -- 2.49.0
