From c1c245f21bbf2d28e9e7917abf673e729e77c977 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Wed, 6 Oct 2021 09:51:21 +1100
Subject: [PATCH] AP_Scripting: fixed bug in string logging with logger.write()

this dereferenced a bad pointer, leading to crash and watchdog

thanks to Charlie for finding this!
---
 libraries/AP_Scripting/lua_bindings.cpp | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libraries/AP_Scripting/lua_bindings.cpp b/libraries/AP_Scripting/lua_bindings.cpp
index e5bdfcc97a..163694457b 100644
--- a/libraries/AP_Scripting/lua_bindings.cpp
+++ b/libraries/AP_Scripting/lua_bindings.cpp
@@ -9,6 +9,7 @@
 #include <AP_Scripting/lua_generated_bindings.h>
 
 #include <AP_Scripting/AP_Scripting.h>
+#include <string.h>
 
 extern const AP_HAL::HAL& hal;
 
@@ -261,10 +262,16 @@ static int AP_Logger_Write(lua_State *L) {
         }
         if (charlen != 0) {
             const char *tmp = luaL_checkstring(L, i);
-            if (strlen(tmp) > charlen) {
+            const size_t slen = strlen(tmp);
+            if (slen > charlen) {
                 return luaL_error(L, "arg %i too long for %c format",i,fmt_cat[i-3]);
             }
-            luaL_addlstring(&buffer, (char *)&tmp, charlen);
+            char tstr[charlen];
+            memcpy(tstr, tmp, slen);
+            if (slen < charlen) {
+                memset(&tstr[slen], 0, charlen-slen);
+            }
+            luaL_addlstring(&buffer, tstr, charlen);
         }
     }