projects / platform / core / messaging / msg-service.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 101cba7)
fix buffer overflow 70/159070/1 accepted/tizen/unified/20171107.055315 submit/tizen/20171107.015550
authorJongkyu Koo <jk.koo@samsung.com>
Tue, 7 Nov 2017 00:59:41 +0000 (09:59 +0900)
committerJongkyu Koo <jk.koo@samsung.com>
Tue, 7 Nov 2017 01:10:23 +0000 (01:10 +0000)
Change-Id: I93e62e429bf25ce47068c7457fae4ebfeb27c752
Signed-off-by: Jongkyu Koo <jk.koo@samsung.com>
externals/MsgSpamFilter.cpp patch | blob | history

diff --git a/externals/MsgSpamFilter.cpp b/externals/MsgSpamFilter.cpp
index 63aecd6..6b63b1a 100755 (executable)
--- a/externals/MsgSpamFilter.cpp
+++ b/externals/MsgSpamFilter.cpp
@@ -162,7 +162,7 @@ bool MsgCheckFilter(MsgDbHandler *pDbHandle, MSG_MESSAGE_INFO_S *pMsgInfo)
 
        int fileSize = 0;
        bool bFiltered = false;
-
+       int tmpLen = 0;
        for (int i = 1; i <= rowCnt; i++) {
                memset(filterValue, 0x00, sizeof(filterValue));
 
@@ -195,20 +195,25 @@ bool MsgCheckFilter(MsgDbHandler *pDbHandle, MSG_MESSAGE_INFO_S *pMsgInfo)
                                        pData = new char[pMsgInfo->dataSize+1];
 
                                        strncpy(pData, pMsgInfo->msgText, pMsgInfo->dataSize);
-                                       pData[strlen(pMsgInfo->msgText)] = '\0';
+                                       tmpLen = strlen(pMsgInfo->msgText);
+                                       if ( tmpLen < pMsgInfo->dataSize)
+                                               pData[tmpLen] = '\0';
+                                       else
+                                               pData[pMsgInfo->dataSize] = '\0';
                                }
                        }
                } else if (pMsgInfo->msgType.mainType == MSG_MMS_TYPE) {
-                       if (strlen(pMsgInfo->subject) > 0) {
+                       tmpLen = strlen(pMsgInfo->subject);
+                       if (tmpLen > 0) {
                                if (pData) {
                                        delete[] pData;
                                        pData = NULL;
                                }
 
-                               pData = new char[strlen(pMsgInfo->subject)+1];
+                               pData = new char[tmpLen+1];
 
-                               strncpy(pData, pMsgInfo->subject, strlen(pMsgInfo->subject));
-                               pData[strlen(pMsgInfo->subject)] = '\0';
+                               strncpy(pData, pMsgInfo->subject, tmpLen);
+                               pData[tmpLen] = '\0';
                        }
                }
 
Domain: Service Framework / Messaging;