projects / platform / core / messaging / msg-service.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c34d736)
fix buffer overflow 71/159071/1 accepted/tizen/3.0/common/20171108.094448 accepted/tizen/3.0/mobile/20171107.215608 accepted/tizen/3.0/wearable/20171107.215612 submit/tizen_3.0/20171107.015413
authorJongkyu Koo <jk.koo@samsung.com>
Tue, 7 Nov 2017 01:22:04 +0000 (10:22 +0900)
committerJongkyu Koo <jk.koo@samsung.com>
Tue, 7 Nov 2017 01:22:04 +0000 (10:22 +0900)
Change-Id: I39e70cfd176d0ee8bb24b880c20cd25caaacc2ce
Signed-off-by: Jongkyu Koo <jk.koo@samsung.com>
externals/MsgSpamFilter.cpp patch | blob | history

diff --git a/externals/MsgSpamFilter.cpp b/externals/MsgSpamFilter.cpp
index c0f543d11d15b7eb5bee0c65fe0fa284ccd224ed..eed53d9c22a2c75a9135569687dfc45e952b6174 100755 (executable)
--- a/externals/MsgSpamFilter.cpp
+++ b/externals/MsgSpamFilter.cpp
@@ -140,7 +140,7 @@ bool MsgCheckFilter(MsgDbHandler *pDbHandle, MSG_MESSAGE_INFO_S *pMsgInfo)
 
        int fileSize = 0;
        bool bFiltered = false;
-
+       int tmpLen = 0;
        for (int i = 1; i <= rowCnt; i++) {
                memset(filterValue, 0x00, sizeof(filterValue));
 
@@ -173,20 +173,25 @@ bool MsgCheckFilter(MsgDbHandler *pDbHandle, MSG_MESSAGE_INFO_S *pMsgInfo)
                                        pData = new char[pMsgInfo->dataSize+1];
 
                                        strncpy(pData, pMsgInfo->msgText, pMsgInfo->dataSize);
-                                       pData[strlen(pMsgInfo->msgText)] = '\0';
+                                       tmpLen = strlen(pMsgInfo->msgText);
+                                       if ( tmpLen < pMsgInfo->dataSize)
+                                               pData[tmpLen] = '\0';
+                                       else
+                                               pData[pMsgInfo->dataSize] = '\0';
                                }
                        }
                } else if (pMsgInfo->msgType.mainType == MSG_MMS_TYPE) {
-                       if (strlen(pMsgInfo->subject) > 0) {
+                       tmpLen = strlen(pMsgInfo->subject);
+                       if (tmpLen > 0) {
                                if (pData) {
                                        delete[] pData;
                                        pData = NULL;
                                }
 
-                               pData = new char[strlen(pMsgInfo->subject)+1];
+                               pData = new char[tmpLen+1];
 
-                               strncpy(pData, pMsgInfo->subject, strlen(pMsgInfo->subject));
-                               pData[strlen(pMsgInfo->subject)] = '\0';
+                               strncpy(pData, pMsgInfo->subject, tmpLen);
+                               pData[tmpLen] = '\0';
                        }
                }
 
Domain: Service Framework / Messaging;