Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 68ccf5c4 authored by James Wei's avatar James Wei
Browse files

MTP: Sanitize filename provided from MTP host#2 

Fix potential stack buffer-overflow

Bug: 135764253
Test: atest frameworks/av/media/mtp/tests
Test: Manual test: modified libmtp for long path traversal attack
Test: Manual test: normal recursive folder copy
Change-Id: Idcefb9a27da7481e821f3de22821cb461e2e1a9b
parent 4c3979cf

media/mtp/MtpServer.cpp

+1 −1
Original line number Original line Diff line number Diff line
@@ -966,7 +966,7 @@ MtpResponseCode MtpServer::doSendObjectInfo() { 
        (strcmp(name, "/") == 0) || (strcmp(basename(name), name) != 0)) {

        (strcmp(name, "/") == 0) || (strcmp(basename(name), name) != 0)) {

        char errMsg[80];

        char errMsg[80];





        sprintf(errMsg, "Invalid name: %s", (const char *) name);

        snprintf(errMsg, sizeof(errMsg), "Invalid name: %s", (const char *) name);

        ALOGE("%s (b/130656917)", errMsg);

        ALOGE("%s (b/130656917)", errMsg);

        android_errorWriteWithInfoLog(SN_EVENT_LOG_ID, "130656917", -1, errMsg,

        android_errorWriteWithInfoLog(SN_EVENT_LOG_ID, "130656917", -1, errMsg,

                                      strlen(errMsg));

                                      strlen(errMsg));