projects / platform / core / security / drm-service-core-tizen.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix SVACE defect(WGID=423935, Buffer overflow)
[platform/core/security/drm-service-core-tizen.git] / tadcore / TADCCore / TADC_Core.cpp
diff --git a/tadcore/TADCCore/TADC_Core.cpp b/tadcore/TADCCore/TADC_Core.cpp
index 670cfea..d1d4fef 100644 (file)
--- a/tadcore/TADCCore/TADC_Core.cpp
+++ b/tadcore/TADCCore/TADC_Core.cpp
@@ -265,6 +265,8 @@ int TADC_MakeRequestRO(T_ROACQ_INFO *t_ROAcqInfo, unsigned char *outBuffer,
 
        i += (k * 2);
 
+       IF_TRUE_RETURN((i >= outBufferSize), TADC_PARAMETER_ERROR);
+
        outBuffer[i] = 0;
 
        StrSize = i - reqdataset_size;
@@ -381,7 +383,7 @@ int TADC_GetHashReqID(unsigned char *inBuffer, unsigned char *hashReqID)
 }
 
 int TADC_GetResponseRO(unsigned char *inBuffer, T_ROACQ_INFO *t_ROAcqInfo,
-                                          T_RO *t_RO, unsigned char *outBuffer)
+                          T_RO *t_RO, unsigned char *outBuffer, unsigned int outBufferLen)
 {
        int nHMacSize = 28; // Base64 Enc length of SHA1 20byte
        TADC_U8 sha1_tmp[20] = {0, };
@@ -424,7 +426,7 @@ int TADC_GetResponseRO(unsigned char *inBuffer, T_ROACQ_INFO *t_ROAcqInfo,
        IF_TRUE_RETURN(t_RO == NULL, TADC_PARAMETER_ERROR);
 
        nSize = TADC_IF_StrLen((char *)inBuffer);
-       IF_TRUE_RETURN(nSize <= 40 || nSize > RESP_MAXSIZE, TADC_PARAMETER_ERROR);
+       IF_TRUE_RETURN(nSize <= 40 || nSize > RESP_MAXSIZE || nSize >= (int)outBufferLen, TADC_PARAMETER_ERROR);
 
        IF_TRUE_RETURN(t_ROAcqInfo->t_DHInfo.pSize <= 0 ||
                                   t_ROAcqInfo->t_DHInfo.pSize > DHKey_SIZE, TADC_PARAMETER_ERROR);
Domain: Security / Utilities;