projects / platform / core / system / libsyscommon.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0134007)
Check tmp buffer overflow 06/269706/5
authorSangYoun Kwak <sy.kwak@samsung.com>
Thu, 20 Jan 2022 05:14:21 +0000 (14:14 +0900)
committerSangYoun Kwak <sy.kwak@samsung.com>
Thu, 20 Jan 2022 06:43:30 +0000 (15:43 +0900)
Change-Id: I5de5195293f72444d91d7b8f89f72bfe3ac5301e
Signed-off-by: SangYoun Kwak <sy.kwak@samsung.com>
src/libgdbus/libgdbus.c patch | blob | history

diff --git a/src/libgdbus/libgdbus.c b/src/libgdbus/libgdbus.c
index 9eaa937..917b98f 100644 (file)
--- a/src/libgdbus/libgdbus.c
+++ b/src/libgdbus/libgdbus.c
@@ -802,6 +802,11 @@ static int _get_xml_from_interfaces(char **xml, const dbus_interface_s *interfac
                                ei = _check_brace(pmethod->signature_in + m + 1);
                                if (ei > 0) {
                                        char tmp[128] = {0,};
+                                       if(ei + 1 > sizeof(tmp) - 1) {
+                                               _E("tmp buffer for signature_in overflow. sizeof(tmp)=%lu ei=%d\n", sizeof(tmp), ei);
+                                               free(buf);
+                                               return -1;
+                                       }
                                        strncpy(tmp, pmethod->signature_in + m, ei + 1);
                                        nwrite += snprintf(buf + nwrite, buf_cal_free_space(buf_len, nwrite), "\t\t\t""<arg type='%s' name='arg%d' direction='in'/>""\n", tmp, m);
                                        m += ei;
@@ -825,6 +830,11 @@ static int _get_xml_from_interfaces(char **xml, const dbus_interface_s *interfac
                                ei = _check_brace(pmethod->signature_out + m + 1);
                                if (ei > 0) {
                                        char tmp[128] = {0,};
+                                       if(ei + 1 > sizeof(tmp) - 1) {
+                                               _E("tmp buffer for signature_out overflow. sizeof(tmp)=%lu ei=%d\n", sizeof(tmp), ei);
+                                               free(buf);
+                                               return -1;
+                                       }
                                        strncpy(tmp, pmethod->signature_out + m, ei + 1);
                                        nwrite += snprintf(buf + nwrite, buf_cal_free_space(buf_len, nwrite), "\t\t\t""<arg type='%s' name='arg%d' direction='out'/>""\n", tmp, m);
                                        m += ei;
Domain: System / System Framework Device Management;