MTP: Sanitize filename provided from MTP host#2 Fix potential stack buffer-overflow Bug: 135764253 Test: atest frameworks/av/media/mtp/tests Test: Manual test: modified libmtp for long path traversal attack Test: Manual test: normal recursive folder copy Change-Id: Idcefb9a27da7481e821f3de22821cb461e2e1a9b

commit: 68ccf5c4139e38a3908aa9f1ab7f388796b8241f [log] [tgz]
author: James Wei <jameswei@google.com> Tue Jun 25 18:58:37 2019 +0800
committer: James Wei <jameswei@google.com> Tue Jun 25 18:58:37 2019 +0800
tree: 0ea19ed7587e015993389262a1f66414eba2a1f6
parent: 4c3979cf2bdb0ef406898496e1bb14202f3821dc [diff] [blame]
diff --git a/media/mtp/MtpServer.cpp b/media/mtp/MtpServer.cpp
index 6160c3c..6adf563 100644
--- a/media/mtp/MtpServer.cpp
+++ b/media/mtp/MtpServer.cpp

@@ -966,7 +966,7 @@
         (strcmp(name, "/") == 0) || (strcmp(basename(name), name) != 0)) {
         char errMsg[80];
 
-        sprintf(errMsg, "Invalid name: %s", (const char *) name);
+        snprintf(errMsg, sizeof(errMsg), "Invalid name: %s", (const char *) name);
         ALOGE("%s (b/130656917)", errMsg);
         android_errorWriteWithInfoLog(SN_EVENT_LOG_ID, "130656917", -1, errMsg,
                                       strlen(errMsg));
commit	68ccf5c4139e38a3908aa9f1ab7f388796b8241f	[log] [tgz]
author	James Wei <jameswei@google.com>	Tue Jun 25 18:58:37 2019 +0800
committer	James Wei <jameswei@google.com>	Tue Jun 25 18:58:37 2019 +0800
tree	0ea19ed7587e015993389262a1f66414eba2a1f6
parent	4c3979cf2bdb0ef406898496e1bb14202f3821dc [diff] [blame]