ecore_evas extn - fix buffer n check for lock files with untrusted val

the code added by minkyoung has a definite security flaw here trusting
e->response to be within a small range when all it is is an int -
range is not limited other than that... so fix the code to check for
range like further code below does.

this commit went in 2 days ago... so not an existing bug fix.

diff --git a/src/modules/ecore_evas/engines/extn/ecore_evas_extn.c b/src/modules/ecore_evas/engines/extn/ecore_evas_extn.c
index af5f3de..16335da 100644 (file)
--- a/src/modules/ecore_evas/engines/extn/ecore_evas_extn.c
+++ b/src/modules/ecore_evas/engines/extn/ecore_evas_extn.c
@@ -1021,16 +1021,20 @@ _ipc_server_data(void *data, int type EINA_UNUSED, void *event)
            {
               Ipc_Data_Update *ipc;
               int n = e->response;
+
               /* b->lockfd is not enough to ensure the size is same 
                * between what server knows, and client knows.
                * So should check file lock also. */
-              if (extn->b[n].buf && (!_extnbuf_lock_file_get(extn->b[n].buf)))
-                {  
-                   EINA_LIST_FREE(extn->file.updates, ipc)
+              if ((n >= 0) && (n < NBUF))
+                {
+                   if (extn->b[n].buf && (!_extnbuf_lock_file_get(extn->b[n].buf)))
                      {
-                        free(ipc);
+                        EINA_LIST_FREE(extn->file.updates, ipc)
+                          {
+                             free(ipc);
+                          }
+                        break;
                      }
-                   break;
                 }
 
               EINA_LIST_FREE(extn->file.updates, ipc)