fix(mutex): safely call snprintf

In the PostSynchEvent() function, the pos integer uses an implementation of snprintf that is fundamentally unsafe: since the return value of snprintf is the number of characters that would have been written to the buffer, if an operation reaches the end of the buffer with more than one character discarded, the return value will be greater than the buffer size, requiring a check of the buffer's current size. Signed-off-by: Elijah Conners <business@elijahpepe.com>
author: Elijah Conners <business@elijahpepe.com> 2022-07-19 22:37:47 -0700
committer: Elijah Conners <business@elijahpepe.com> 2022-07-19 22:37:47 -0700
commit: 68da198e67ef88a55dfb184b804b91534d9406fc (patch)
tree: 163c1955b106a3b2c2068d9e62d7f32b6328b667
parent: 0c8bd82e90bac01f8afc6afdd5754d9d9b16cf68 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/absl/synchronization/mutex.cc b/absl/synchronization/mutex.cc
index 52e2455d..1e3ca35a 100644
--- a/absl/synchronization/mutex.cc
+++ b/absl/synchronization/mutex.cc
@@ -430,7 +430,11 @@ static void PostSynchEvent(void *obj, int ev) {
     char buffer[ABSL_ARRAYSIZE(pcs) * 24];
     int pos = snprintf(buffer, sizeof (buffer), " @");
     for (int i = 0; i != n; i++) {
-      pos += snprintf(&buffer[pos], sizeof (buffer) - pos, " %p", pcs[i]);
+      int b += snprintf(&buffer[pos], sizeof (buffer) - pos, " %p", pcs[i]);
+      if (b < 0 || b >= sizeof (buffer) - pos) {
+        break;
+      }
+      pos += b;
     }
     ABSL_RAW_LOG(INFO, "%s%p %s %s", event_properties[ev].msg, obj,
                  (e == nullptr ? "" : e->name), buffer);
author	Elijah Conners <business@elijahpepe.com>	2022-07-19 22:37:47 -0700
committer	Elijah Conners <business@elijahpepe.com>	2022-07-19 22:37:47 -0700
commit	68da198e67ef88a55dfb184b804b91534d9406fc (patch)
tree	163c1955b106a3b2c2068d9e62d7f32b6328b667
parent	0c8bd82e90bac01f8afc6afdd5754d9d9b16cf68 (diff)