On Sun, Sep 12 2021, Ian Darwin <i...@darwinsys.com> wrote: > This leaves one snprintf %n which is inside "#ifdef APPLE" and two > scanf(%n) which are all ignorable. > > tests/oks?
I would suggest a simpler approach: > Index: Makefile > =================================================================== > RCS file: /cvs/ports/devel/adb/Makefile,v > retrieving revision 1.3 > diff -u -p -r1.3 Makefile > --- Makefile 17 Jul 2019 14:49:20 -0000 1.3 > +++ Makefile 12 Sep 2021 22:02:59 -0000 > @@ -5,7 +5,7 @@ COMMENT = Android Debug Bridge > V = 5.1.1_r4 > DISTNAME = adb-${V} > PKGNAME = ${DISTNAME:S/_r/./} > -REVISION = 0 > +REVISION = 1 > > GH_ACCOUNT = android > GH_PROJECT = platform_system_core > Index: patches/patch-adb_transport_c > =================================================================== > RCS file: patches/patch-adb_transport_c > diff -N patches/patch-adb_transport_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-adb_transport_c 12 Sep 2021 22:02:59 -0000 > @@ -0,0 +1,25 @@ > +$OpenBSD$ > +Add error checking and avoid %n > + > +Index: adb/transport.c > +--- adb/transport.c.orig > ++++ adb/transport.c > +@@ -912,11 +912,17 @@ static void add_qual(char **buf, size_t *buf_size, > + { > + size_t len; > + int prefix_len; > ++ char tbuf[*buf_size]; At least in base we try to avoid C99 VLAs, just like alloca(). > + > + if (!buf || !*buf || !buf_size || !*buf_size || !qual || !*qual) > + return; > + > +- len = snprintf(*buf, *buf_size, "%s%n%s", prefix, &prefix_len, qual); > ++ prefix_len = snprintf(tbuf, *buf_size, "%s", prefix); I'd suggest: prefix_len = strlen(prefix); > ++ if (prefix_len == -1 || prefix_len > *buf_size) > ++ return; > ++ len = snprintf(*buf, *buf_size, "%s%s", tbuf, qual); And then len = snprintf(*buf, *buf_size, "%s%s", prefix, qual); > ++ if (len == -1 || len > *buf_size) Note that len is a size_t, so (len == -1) looks odd. Maybe let upstream figure out the error checking, the checks in list_transports() and list_transports() don't look safe anyway. > ++ return; > + > + if (sanitize_qual) { > + char *cp; > -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE