Fix for buffer overrun crash at copying nmea string

Add zero clearing of allocated nmea buffer to ensure
the nmea string is null terminated.

CRs-Fixed: 2041933
Fixes: 37987256
Fixes: 37911727
Test: Builds, GPS works, with NMEA on, inside/outside, w/o crash.

Change-Id: I7b9a52eee8baf2d0a269fc5e2ec95f12d1d7aece

2 files changed, 3 insertions, 3 deletions

diff --git a/msm8998/core/SystemStatus.cpp b/msm8998/core/SystemStatus.cpp
index 12f97dd..f4f07f2 100644
--- a/msm8998/core/SystemStatus.cpp
+++ b/msm8998/core/SystemStatus.cpp
@@ -1396,7 +1396,7 @@ bool SystemStatus::setNmeaString(const char *data, uint32_t len)
     }
 
     char buf[SystemStatusNmeaBase::NMEA_MAXSIZE + 1] = { 0 };
-    strlcpy(buf, data, (len < strlen(data))? len : strlen(data));
+    strlcpy(buf, data, sizeof(buf));
 
     pthread_mutex_lock(&mMutexSystemStatus);
 
diff --git a/msm8998/gnss/GnssAdapter.cpp b/msm8998/gnss/GnssAdapter.cpp
index 4f04ada..472a5d3 100644
--- a/msm8998/gnss/GnssAdapter.cpp
+++ b/msm8998/gnss/GnssAdapter.cpp
@@ -1977,9 +1977,9 @@ GnssAdapter::reportNmeaEvent(const char* nmea, size_t length, bool fromUlp)
                              size_t length) :
             LocMsg(),
             mAdapter(adapter),
-            mNmea(new char[length]),
+            mNmea(new char[length+1]),
             mLength(length) {
-                memcpy((void*)mNmea, (void*)nmea, length);
+                strlcpy((char*)mNmea, nmea, length+1);
             }
         inline virtual ~MsgReportNmea()
         {