1 files changed, 20 insertions, 14 deletions

diff --git a/libs/androidfw/BackupHelpers.cpp b/libs/androidfw/BackupHelpers.cpp
index 9300794cf310..78e9d91c4d67 100644
--- a/libs/androidfw/BackupHelpers.cpp
+++ b/libs/androidfw/BackupHelpers.cpp
@@ -442,7 +442,7 @@ back_up_files(int oldSnapshotFD, BackupDataWriter* dataStream, int newSnapshotFD
     return 0;
 }
 
-static void calc_tar_checksum(char* buf) {
+static void calc_tar_checksum(char* buf, size_t buf_size) {
     // [ 148 :   8 ] checksum -- to be calculated with this field as space chars
     memset(buf + 148, ' ', 8);
 
@@ -453,11 +453,13 @@ static void calc_tar_checksum(char* buf) {
 
     // Now write the real checksum value:
     // [ 148 :   8 ]  checksum: 6 octal digits [leading zeroes], NUL, SPC
-    sprintf(buf + 148, "%06o", sum); // the trailing space is already in place
+    snprintf(buf + 148, buf_size - 148, "%06o", sum); // the trailing space is
+                                                      // already in place
 }
 
 // Returns number of bytes written
-static int write_pax_header_entry(char* buf, const char* key, const char* value) {
+static int write_pax_header_entry(char* buf, size_t buf_size,
+                                  const char* key, const char* value) {
     // start with the size of "1 key=value\n"
     int len = strlen(key) + strlen(value) + 4;
     if (len > 9) len++;
@@ -466,7 +468,7 @@ static int write_pax_header_entry(char* buf, const char* key, const char* value)
     // since PATH_MAX is 4096 we don't expect to have to generate any single
     // header entry longer than 9999 characters
 
-    return sprintf(buf, "%d %s=%s\n", len, key, value);
+    return snprintf(buf, buf_size, "%d %s=%s\n", len, key, value);
 }
 
 // Wire format to the backup manager service is chunked:  each chunk is prefixed by
@@ -550,8 +552,12 @@ int write_tarfile(const String8& packageName, const String8& domain,
     // read/write up to this much at a time.
     const size_t BUFSIZE = 32 * 1024;
     char* buf = (char *)calloc(1,BUFSIZE);
-    char* paxHeader = buf + 512;    // use a different chunk of it as separate scratch
-    char* paxData = buf + 1024;
+    const size_t PAXHEADER_OFFSET = 512;
+    const size_t PAXHEADER_SIZE = 512;
+    const size_t PAXDATA_SIZE = BUFSIZE - (PAXHEADER_SIZE + PAXHEADER_OFFSET);
+    char* const paxHeader = buf + PAXHEADER_OFFSET; // use a different chunk of
+                                                    // it as separate scratch
+    char* const paxData = paxHeader + PAXHEADER_SIZE;
 
     if (buf == NULL) {
         ALOGE("Out of mem allocating transfer buffer");
@@ -630,21 +636,21 @@ int write_tarfile(const String8& packageName, const String8& domain,
     // already preflighted
     if (needExtended) {
         char sizeStr[32];   // big enough for a 64-bit unsigned value in decimal
-        char* p = paxData;
 
         // construct the pax extended header data block
-        memset(paxData, 0, BUFSIZE - (paxData - buf));
+        memset(paxData, 0, PAXDATA_SIZE);
 
         // size header -- calc len in digits by actually rendering the number
         // to a string - brute force but simple
+        int paxLen = 0;
         snprintf(sizeStr, sizeof(sizeStr), "%lld", (long long)s.st_size);
-        p += write_pax_header_entry(p, "size", sizeStr);
+        paxLen += write_pax_header_entry(paxData, PAXDATA_SIZE, "size", sizeStr);
 
         // fullname was generated above with the ustar paths
-        p += write_pax_header_entry(p, "path", fullname.string());
+        paxLen += write_pax_header_entry(paxData + paxLen, PAXDATA_SIZE - paxLen,
+                "path", fullname.string());
 
         // Now we know how big the pax data is
-        int paxLen = p - paxData;
 
         // Now build the pax *header* templated on the ustar header
         memcpy(paxHeader, buf, 512);
@@ -659,10 +665,10 @@ int write_tarfile(const String8& packageName, const String8& domain,
 
         // [ 124 :  12 ] size of pax extended header data
         memset(paxHeader + 124, 0, 12);
-        snprintf(paxHeader + 124, 12, "%011o", (unsigned int)(p - paxData));
+        snprintf(paxHeader + 124, 12, "%011o", (unsigned int)paxLen);
 
         // Checksum and write the pax block header
-        calc_tar_checksum(paxHeader);
+        calc_tar_checksum(paxHeader, PAXHEADER_SIZE);
         send_tarfile_chunk(writer, paxHeader, 512);
 
         // Now write the pax data itself
@@ -671,7 +677,7 @@ int write_tarfile(const String8& packageName, const String8& domain,
     }
 
     // Checksum and write the 512-byte ustar file header block to the output
-    calc_tar_checksum(buf);
+    calc_tar_checksum(buf, BUFSIZE);
     send_tarfile_chunk(writer, buf, 512);
 
     // Now write the file data itself, for real files.  We honor tar's convention that