From b45b5c9f227473050ef785d11e518e947c8754fb Mon Sep 17 00:00:00 2001
From: Keith Preston <keithpre@gmail.com>
Date: Thu, 11 Feb 2010 15:12:53 -0600
Subject: [PATCH] Fix Heap Corruption from too long of a TAG

snprintf has a weird return value.   It returns what would have been written given a large enough buffer.
In the case that the prefix is longer then our buffer(128), it messes up the calculations below possibly causing heap corruption.
To avoid this we double check and set the length at the maximum (size minus null byte
---
 liblog/logprint.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/liblog/logprint.c b/liblog/logprint.c
index 080f9e364..acfa9f4c4 100644
--- a/liblog/logprint.c
+++ b/liblog/logprint.c
@@ -753,6 +753,16 @@ char *android_log_formatLogLine (
             suffixLen = 1;
             break;
     }
+    /* snprintf has a weird return value.   It returns what would have been
+     * written given a large enough buffer.  In the case that the prefix is
+     * longer then our buffer(128), it messes up the calculations below
+     * possibly causing heap corruption.  To avoid this we double check and
+     * set the length at the maximum (size minus null byte)
+     */
+    if(prefixLen >= sizeof(prefixBuf))
+        prefixLen = sizeof(prefixBuf) - 1;
+    if(suffixLen >= sizeof(suffixBuf))
+        suffixLen = sizeof(suffixBuf) - 1;
 
     /* the following code is tragically unreadable */