Fix to catch std::bad_array_new_length when allocating array using new

The exception std::bad_array_new_length is thrown when the size of new
array is negative or too big to allocate.
Also, this exception cannot be suppressed by std::nothrow, so it should
be catched explicitly when allocating array using 'new' with variable
size.
To make code more reliable, try-catch statements are added to the array
allocating codes using 'new' with variable size.

Change-Id: If1d8b3ce57dace4bb4bc1d976394e4be879ac9ca
Signed-off-by: SangYoun Kwak <sy.kwak@samsung.com>

diff --git a/src/client/sensor_internal.cpp b/src/client/sensor_internal.cpp
index 7495933d33b31dc36366b10286a8c8fa1dd78643..a63df3b9c376a98778a15c3fc095ae9282f26fe9 100644 (file)
--- a/src/client/sensor_internal.cpp
+++ b/src/client/sensor_internal.cpp
@@ -163,9 +163,17 @@ public:
        {
                callback_info_s *info;
                auto size = msg.size();
-               char *data = new(std::nothrow) char[size];
-               if (data == NULL)
+               char *data = nullptr;
+               try {
+                       data = new(std::nothrow) char[size];
+               } catch (std::bad_array_new_length &e) {
+                       _E("Failed to allocate memory, invalid size(%zu)", size);
                        return;
+               }
+               if (data == NULL) {
+                       _E("Failed to allocate memory");
+                       return;
+               }
                memcpy(data, msg.body(), size);
 
                info = new(std::nothrow) callback_info_s();

diff --git a/src/client/sensor_listener.cpp b/src/client/sensor_listener.cpp
index 649a4d4f5a39f171418d946ee7f9eb607614e03a..aab72adfffd49d081d8c9f7fa6d4de06ae698753 100644 (file)
--- a/src/client/sensor_listener.cpp
+++ b/src/client/sensor_listener.cpp
@@ -591,7 +591,12 @@ int sensor_listener::set_attribute(int attribute, const char *value, int len)
 
        size = sizeof(cmd_listener_attr_str_t) + len;
 
-       buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[size];
+       try {
+               buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[size];
+       } catch (std::bad_array_new_length &e) {
+               _E("Failed to allocate memory, invalid size(%zu)", size);
+               return -EINVAL;
+       }
        retvm_if(!buf, -ENOMEM, "Failed to allocate memory");
 
        msg.set_type(CMD_LISTENER_SET_ATTR_STR);
@@ -712,7 +717,13 @@ int sensor_listener::get_sensor_data_list(sensor_data_t **data, int *count)
        }
 
        size_t size = reply.size();
-       cmd_listener_get_data_list_t* reply_buf = (cmd_listener_get_data_list_t *) new(std::nothrow) char[size];
+       cmd_listener_get_data_list_t* reply_buf = nullptr;
+       try {
+               reply_buf = (cmd_listener_get_data_list_t *) new(std::nothrow) char[size];
+       } catch (std::bad_array_new_length &e) {
+               _E("Failed to allocate memory, invalid size(%zu)", size);
+               return -EINVAL;
+       }
 
        retvm_if(!reply_buf, -ENOMEM, "Failed to allocate memory");
 

diff --git a/src/client/sensor_provider_channel_handler.cpp b/src/client/sensor_provider_channel_handler.cpp
index 039c93de6090156e04db510376b119dd4f498322..aa43dbea27204441ee47fbf93aa18def0bb951a4 100644 (file)
--- a/src/client/sensor_provider_channel_handler.cpp
+++ b/src/client/sensor_provider_channel_handler.cpp
@@ -68,9 +68,15 @@ void sensor_provider::channel_handler::read(ipc::channel *ch, ipc::message &msg)
                        m_interval_changed_cb(m_provider, buf.value, m_interval_changed_user_data);
                break;
        case CMD_PROVIDER_ATTR_STR:
-               cmd_provider_attr_str_t *attr;
+               cmd_provider_attr_str_t *attr = nullptr;
+
+               try {
+                       attr = (cmd_provider_attr_str_t *) new(std::nothrow) char[msg.size()];
+               } catch (std::bad_array_new_length &e) {
+                       _E("Failed to allocate memory, invalid size(%zu)", msg.size());
+                       return;
+               }
 
-               attr = (cmd_provider_attr_str_t *) new(std::nothrow) char[msg.size()];
                retm_if(!attr, "Failed to allocate memory");
 
                msg.disclose((char *)attr, msg.size());

diff --git a/src/server/application_sensor_handler.cpp b/src/server/application_sensor_handler.cpp
index a1beab161a40e94ba2067a8c4f952a38adfd8c41..afd01658b4c901314cd3337b4fd1d9a87ec95bf8 100644 (file)
--- a/src/server/application_sensor_handler.cpp
+++ b/src/server/application_sensor_handler.cpp
@@ -157,7 +157,12 @@ int application_sensor_handler::set_attribute(sensor_observer *ob, int32_t attr,
 
        size = sizeof(cmd_provider_attr_str_t) + len;
 
-       buf = (cmd_provider_attr_str_t *) new(std::nothrow) char[size];
+       try {
+               buf = (cmd_provider_attr_str_t *) new(std::nothrow) char[size];
+       } catch (std::bad_array_new_length &e) {
+               _E("Failed to allocate memory, invalid size(%zu)", size);
+               return -EINVAL;
+       }
 
        retvm_if(!buf, -ENOMEM, "Failed to allocate memory");
 

diff --git a/src/server/sensor_handler.cpp b/src/server/sensor_handler.cpp
index dab4570f144a544ef0ccd3529875113a97fc5f37..f81d3c76fad8810d932cbbd5183f739bd13c07ee 100644 (file)
--- a/src/server/sensor_handler.cpp
+++ b/src/server/sensor_handler.cpp
@@ -169,7 +169,12 @@ bool sensor_handler::notify_attribute_changed(uint32_t id, int32_t attribute, co
        cmd_listener_attr_str_t *buf;
        size_t size;
        size = sizeof(cmd_listener_attr_str_t) + len;
-       buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[size];
+       try {
+               buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[size];
+       } catch (std::bad_array_new_length &e) {
+               _E("Failed to allocate memory, invalid size(%zu)", size);
+               return -EINVAL;
+       }
        retvm_if(!buf, -ENOMEM, "Failed to allocate memory");
 
        auto msg = ipc::message::create();
@@ -233,11 +238,24 @@ void sensor_handler::update_attribute(int32_t attr, int32_t value)
 
 int sensor_handler::get_attribute(int32_t attr, char **value, int *len)
 {
+       retv_if(!value, OP_ERROR);
+       retv_if(!len, OP_ERROR);
+
        auto it = m_attributes_str.find(attr);
        retv_if(it == m_attributes_str.end(), OP_ERROR);
 
        *len = it->second.size();
-       *value = new(std::nothrow) char[*len];
+       try {
+               *value = new(std::nothrow) char[*len];
+       } catch (std::bad_array_new_length &e) {
+               _E("Failed to allocate memory, invalid size(%d)", *len);
+               return OP_ERROR;
+       }
+       if (*value == nullptr) {
+               _E("Failed to allocate memory");
+               return OP_ERROR;
+       }
+
        std::copy(it->second.begin(), it->second.end(), *value);
 
        return OP_SUCCESS;

diff --git a/src/server/sensor_manager.cpp b/src/server/sensor_manager.cpp
index 300c9b3cc1f1b1b2016b25dda05411f1ef23d438..659a45386e6de155b8eae724b0a915cee55225e0 100644 (file)
--- a/src/server/sensor_manager.cpp
+++ b/src/server/sensor_manager.cpp
@@ -365,6 +365,8 @@ size_t sensor_manager::serialize(int sock_fd, char **bytes)
        sensor_info info;
        std::vector<char> raw_list;
 
+       retvm_if(!bytes, -EINVAL, "Invalid parameter, bytes cannot be NULL");
+
        put_int_to_vec(raw_list, m_sensors.size());
 
        for (auto it = m_sensors.begin(); it != m_sensors.end(); ++it) {
@@ -384,7 +386,12 @@ size_t sensor_manager::serialize(int sock_fd, char **bytes)
                delete raw;
        }
 
-       *bytes = new(std::nothrow) char[raw_list.size()];
+       try {
+               *bytes = new(std::nothrow) char[raw_list.size()];
+       } catch (std::bad_array_new_length &e) {
+               _E("Failed to allocate memory, invalid size(%zu)", raw_list.size());
+               return -EINVAL;
+       }
        retvm_if(!*bytes, -ENOMEM, "Failed to allocate memory");
 
        std::copy(raw_list.begin(), raw_list.end(), *bytes);

diff --git a/src/server/server_channel_handler.cpp b/src/server/server_channel_handler.cpp
index fd08af1f6adce74baa5ae408409ac6f5227edd96..54c0d2d5ce880b1bcfc36f522189006b49d27397 100644 (file)
--- a/src/server/server_channel_handler.cpp
+++ b/src/server/server_channel_handler.cpp
@@ -348,7 +348,12 @@ int server_channel_handler::listener_set_attr_str(channel *ch, message &msg)
        uint32_t id;
        cmd_listener_attr_str_t *buf;
 
-       buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[msg.size()];
+       try {
+               buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[msg.size()];
+       } catch (std::bad_array_new_length &e) {
+               _E("Failed to allocate memory, invalid size(%zu)", msg.size());
+               return -EINVAL;
+       }
        retvm_if(!buf, -ENOMEM, "Failed to allocate memory");
 
        msg.disclose((char *)buf, msg.size());
@@ -437,7 +442,12 @@ int server_channel_handler::listener_get_attr_str(ipc::channel *ch, ipc::message
        uint32_t id;
        cmd_listener_attr_str_t *buf;
 
-       buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[msg.size()];
+       try {
+               buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[msg.size()];
+       } catch (std::bad_array_new_length &e) {
+               _E("Failed to allocate memory, invalid size(%zu)", msg.size());
+               return -EINVAL;
+       }
        retvm_if(!buf, -ENOMEM, "Failed to allocate memory");
 
        msg.disclose((char *)buf, msg.size());
@@ -467,7 +477,12 @@ int server_channel_handler::listener_get_attr_str(ipc::channel *ch, ipc::message
 
        cmd_listener_attr_str_t *reply_buf;
        size_t size = sizeof(cmd_listener_attr_str_t) + len;
-       reply_buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[size];
+       try {
+               reply_buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[size];
+       } catch (std::bad_array_new_length &e) {
+               _E("Failed to allocate memory, invalid size(%zu)", size);
+               return -EINVAL;
+       }
        retvm_if(!reply_buf, -ENOMEM, "Failed to allocate memory");
 
        reply_buf->attribute = attr;