Evas/cserve2: Add some safety checks when reading socket messages

Fixes CID 1039571 and 1039572.

diff --git a/src/bin/evas/dummy_slave.c b/src/bin/evas/dummy_slave.c
index 9b5638053b503cb0bc753849704cec915026a986..fb57250681d9a165c128c240d4ba76b4303dbb38 100644 (file)
--- a/src/bin/evas/dummy_slave.c
+++ b/src/bin/evas/dummy_slave.c
@@ -23,6 +23,10 @@ command_read(int fd, Slave_Command *cmd, void **params)
    if (ret < (int)sizeof(int) * 2)
      return EINA_FALSE;
 
+   if(!((ints[0] > 0) && (ints[0] <= 0xFFFF) &&
+        (ints[1] >= 0) && (ints[1] < SLAVE_COMMAND_LAST)))
+     return EINA_FALSE;
+
    size = ints[0];
    buf = malloc(size);
    if (!buf) return EINA_FALSE;

diff --git a/src/bin/evas/evas_cserve2.h b/src/bin/evas/evas_cserve2.h
index 86b3f8ca3b4bf0228e1419eb5fe83e1cd8f9096a..23698576665b9a09e6bc1820bd889489be3ba539 100644 (file)
--- a/src/bin/evas/evas_cserve2.h
+++ b/src/bin/evas/evas_cserve2.h
@@ -99,7 +99,8 @@ typedef enum {
    FONT_LOAD,
    FONT_GLYPHS_LOAD,
    SLAVE_QUIT,
-   ERROR
+   ERROR,
+   SLAVE_COMMAND_LAST
 } Slave_Command;
 
 struct _Slave_Msg_Image_Open {

diff --git a/src/bin/evas/evas_cserve2_slave.c b/src/bin/evas/evas_cserve2_slave.c
index 45d19df0ff21fc08f199797755b6584b12940f45..907b97ccc8cfef1b2b96e2368af9d92759fe6274 100644 (file)
--- a/src/bin/evas/evas_cserve2_slave.c
+++ b/src/bin/evas/evas_cserve2_slave.c
@@ -188,6 +188,9 @@ command_read(int fd, Slave_Command *cmd, void **params)
    if (ret < (int)sizeof(int) * 2)
      return EINA_FALSE;
 
+   EINA_SAFETY_ON_FALSE_RETURN_VAL((ints[0] > 0) && (ints[0] <= 0xFFFF), EINA_FALSE);
+   EINA_SAFETY_ON_FALSE_RETURN_VAL((ints[1] >= 0) && (ints[1] < SLAVE_COMMAND_LAST), EINA_FALSE);
+
    size = ints[0];
    buf = malloc(size);
    if (!buf) return EINA_FALSE;