From c221134bc39e8a929f273b5ffff606afe14a9b77 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 23 Apr 2021 14:57:22 +0200
Subject: pj_vlog(): fix buffer overflow in case of super lengthy error message

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33594
---
 src/log.cpp | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/log.cpp b/src/log.cpp
index c50b0ebc..6bad34d4 100644
--- a/src/log.cpp
+++ b/src/log.cpp
@@ -49,7 +49,7 @@ void pj_stderr_logger( void *app_data, int level, const char *msg )
 /*                               pj_vlog()                              */
 /************************************************************************/
 void pj_vlog( PJ_CONTEXT *ctx, int level, const char *fmt, va_list args );
-/* Workhorse for the log functions - relates to pj_log as vsprintf relates to sprintf */
+
 void pj_vlog( PJ_CONTEXT *ctx, int level, const char *fmt, va_list args )
 
 {
@@ -67,12 +67,13 @@ void pj_vlog( PJ_CONTEXT *ctx, int level, const char *fmt, va_list args )
     if( level > debug_level )
         return;
 
-    msg_buf = (char *) malloc(100000);
+    constexpr size_t BUF_SIZE = 100000;
+    msg_buf = (char *) malloc(BUF_SIZE);
     if( msg_buf == nullptr )
         return;
 
-    /* we should use vsnprintf where available once we add configure detect.*/
-    vsprintf( msg_buf, fmt, args );
+    vsnprintf( msg_buf, BUF_SIZE, fmt, args );
+    msg_buf[BUF_SIZE-1] = '\0';
 
     ctx->logger( ctx->logger_app_data, level, msg_buf );
 
-- 
cgit v1.2.3