ei = _check_brace(pmethod->signature_in + m + 1);
if (ei > 0) {
char tmp[128] = {0,};
+ if(ei + 1 > sizeof(tmp) - 1) {
+ _E("tmp buffer for signature_in overflow. sizeof(tmp)=%lu ei=%d\n", sizeof(tmp), ei);
+ free(buf);
+ return -1;
+ }
strncpy(tmp, pmethod->signature_in + m, ei + 1);
nwrite += snprintf(buf + nwrite, buf_cal_free_space(buf_len, nwrite), "\t\t\t""<arg type='%s' name='arg%d' direction='in'/>""\n", tmp, m);
m += ei;
ei = _check_brace(pmethod->signature_out + m + 1);
if (ei > 0) {
char tmp[128] = {0,};
+ if(ei + 1 > sizeof(tmp) - 1) {
+ _E("tmp buffer for signature_out overflow. sizeof(tmp)=%lu ei=%d\n", sizeof(tmp), ei);
+ free(buf);
+ return -1;
+ }
strncpy(tmp, pmethod->signature_out + m, ei + 1);
nwrite += snprintf(buf + nwrite, buf_cal_free_space(buf_len, nwrite), "\t\t\t""<arg type='%s' name='arg%d' direction='out'/>""\n", tmp, m);
m += ei;