From 34e560b9a1e44dcfa0c220c9499bbb833a95a2b4 Mon Sep 17 00:00:00 2001
From: Elliott Hughes <enh@google.com>
Date: Wed, 9 Mar 2016 19:28:03 -0800
Subject: [PATCH] Fix buffer overrun in adb wait-for-device.

Bug: http://b/27444063
Change-Id: I72339d7215aae28069484b9796d71fe0c53dff96
---
 adb/commandline.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/adb/commandline.cpp b/adb/commandline.cpp
index 30a38e399..a856672eb 100644
--- a/adb/commandline.cpp
+++ b/adb/commandline.cpp
@@ -1029,8 +1029,8 @@ static bool check_wait_for_device_syntax(const char* service) {
     // TODO: when we have libc++ for Windows, use a regular expression instead.
     // wait-for-((any|local|usb)-)?(bootloader|device|recovery|sideload)
 
-    char type[20];
-    char state[20];
+    char type[20 + 1]; // sscanf's %20[...] doesn't include the NUL.
+    char state[20 + 1];
     int length = 0;
     if (sscanf(service, "wait-for-%20[a-z]-%20[a-z]%n", type, state, &length) < 2 ||
         length != static_cast<int>(strlen(service))) {