A buffer in function test_flink_name was both too small and never
checked for overflow. Both errors are fixed.
Signed-off-by: Steve Hampson <steven.t.hampson@xxxxxxxxx>
Reviewed-by: Ashutosh Dixit <ashutosh.dixit@xxxxxxxxx>
---
tests/i915/gem_flink_race.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/tests/i915/gem_flink_race.c b/tests/i915/gem_flink_race.c
index c1f5d5d51..cf07aedf1 100644
--- a/tests/i915/gem_flink_race.c
+++ b/tests/i915/gem_flink_race.c
@@ -83,7 +83,7 @@ static void test_flink_name(int timeout)
struct flink_name *threads;
int r, i, num_threads;
unsigned long count;
- char buf[256];
+ char buf[512];
void *status;
int len;
@@ -118,9 +118,13 @@ static void test_flink_name(int timeout)
for (i = 0; i < num_threads; i++) {
pthread_join(threads[i].thread, &status);
igt_assert(status == 0);
- len += snprintf(buf + len, sizeof(buf) - len, "%lu, ", threads[i].count);
+ /* Below, constant 11 is 8 digit number, comma, space and null byte */
+ if ((len + 11 + 1) < sizeof(buf))
+ len += snprintf(buf + len, sizeof(buf) - len, "%8lu, ", threads[i].count);
}
- snprintf(buf + len - 2, sizeof(buf) - len + 2, "] races");
+ /* Below, constant 9 is 7 bytes for terminating string plus \n and null byte */
+ if (len + 9 < sizeof(buf))
+ snprintf(buf + len - 2, sizeof(buf) - len + 2, "] races");
igt_info("%s\n", buf);
close(fd);
--
2.21.0
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
