Add boundary check for value from untrusted source

Change-Id: I7ac23493f014447d3afbca82fe4f4bdaa565986f
Signed-off-by: Hyunho Kang <hhstark.kang@samsung.com>

diff --git a/src/data-control-provider.c b/src/data-control-provider.c
index a0d8c73..dda6785 100755 (executable)
--- a/src/data-control-provider.c
+++ b/src/data-control-provider.c
@@ -43,6 +43,7 @@
 #define QUERY_MAXLEN                   4096
 #define ROW_ID_SIZE                    32
 #define RESULT_PATH_MAX                        512
+#define MAX_COLUMN_COUNT               32767   /* Base on sqlite3 maximum column count */
 
 #define RESULT_PAGE_NUMBER             "RESULT_PAGE_NUMBER"
 #define MAX_COUNT_PER_PAGE             "MAX_COUNT_PER_PAGE"
@@ -647,7 +648,13 @@ static data_control_bulk_data_h __get_bulk_data_from_fd(int fd)
                datacontrol_bulk_data_destroy(ret_bulk_data_h);
                return NULL;
        }
+
        LOGI("bulk data size : %d", size);
+       if (size < 0 || size >= MAX_REQUEST_ARGUMENT_SIZE) {
+               LOGE("Invalid data size");
+               datacontrol_bulk_data_destroy(ret_bulk_data_h);
+               return NULL;
+       }
 
        for (i = 0; i < size; i++) {
                LOGI("bulk data : %d", i);
@@ -1198,6 +1205,11 @@ int __provider_process(bundle *b, int fd)
                int current = 0;
                int column_count = _get_int_from_str(arg_list[i++]); /* Column count */
 
+               if (column_count <= 0 || column_count > MAX_COLUMN_COUNT) {
+                       LOGE("Invalid column count %d", column_count);
+                       goto err;
+               }
+
                LOGI("SELECT column count: %d", column_count);
                column_list = (const char **)malloc(column_count * (sizeof(char *)));
                if (column_list == NULL) {