From 2ea12f73db333d0d6b01f92f2a092ada034c7f27 Mon Sep 17 00:00:00 2001 From: Romain Vimont Date: Sun, 6 Feb 2022 12:17:39 +0100 Subject: [PATCH] Fix adb getprop parsing The function assumed that the raw output of "adb getprop" was a NUL-terminated string, but it is not the case. It this output did not end with a space or a new line character, then sc_str_truncate() would write '\0' over the last character. Even worse, if the output was empty, then sc_str_truncate() would write out-of-bounds. Avoid the error-prone sc_str_truncate() util function. --- app/src/adb/adb.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/app/src/adb/adb.c b/app/src/adb/adb.c index 5a1ed25d..2fd4b35d 100644 --- a/app/src/adb/adb.c +++ b/app/src/adb/adb.c @@ -385,7 +385,7 @@ sc_adb_getprop(struct sc_intr *intr, const char *serial, const char *prop, } char buf[128]; - ssize_t r = sc_pipe_read_all_intr(intr, pid, pout, buf, sizeof(buf)); + ssize_t r = sc_pipe_read_all_intr(intr, pid, pout, buf, sizeof(buf) - 1); sc_pipe_close(pout); bool ok = process_check_success_intr(intr, pid, "adb getprop", flags); @@ -397,7 +397,10 @@ sc_adb_getprop(struct sc_intr *intr, const char *serial, const char *prop, return NULL; } - sc_str_truncate(buf, r, " \r\n"); + assert((size_t) r < sizeof(buf)); + buf[r] = '\0'; + size_t len = strcspn(buf, " \r\n"); + buf[len] = '\0'; return strdup(buf); }