Check bound for column count

author Hyunho Kang <hhstark.kang@samsung.com>

Tue, 13 Jun 2017 02:30:06 +0000 (11:30 +0900)

committer Hyunho Kang <hhstark.kang@samsung.com>

Tue, 13 Jun 2017 03:45:41 +0000 (03:45 +0000)
author Hyunho Kang <hhstark.kang@samsung.com>
Tue, 13 Jun 2017 02:30:06 +0000 (11:30 +0900)
committer Hyunho Kang <hhstark.kang@samsung.com>
Tue, 13 Jun 2017 03:45:41 +0000 (03:45 +0000)
diff --git a/src/data-control-internal.h b/src/data-control-internal.h

index 786f33ab5253a88616ccd685017390dc71b0b07b..a8cf53585d14253e66d37213bcfad7a98d131eb2 100755 (executable)
--- a/src/data-control-internal.h
+++ b/src/data-control-internal.h
@@ -59,6 +59,7 @@
  #define MAX_REQUEST_ARGUMENT_SIZE      1048576 /* 1MB */
  #define MAX_ROW_COUNT          1024
  #define MAX_COLUMN_SIZE                512
+#define MAX_COLUMN_COUNT       32767   /* Base on sqlite3 maximum column count */
  #define MAX_VALUE_COUNT                1024
  
  /**
diff --git a/src/data-control-provider.c b/src/data-control-provider.c

index dbd9794511ab1c1dab72f26a92cf0a953bc99744..a1e5cfda3af5382b587724b36c5dbeca095ba266 100755 (executable)
--- a/src/data-control-provider.c
+++ b/src/data-control-provider.c
@@ -43,7 +43,6 @@
  #define QUERY_MAXLEN                   4096
  #define ROW_ID_SIZE                    32
  #define RESULT_PATH_MAX                        512
-#define MAX_COLUMN_COUNT               32767   /* Base on sqlite3 maximum column count */
  
  #define RESULT_PAGE_NUMBER             "RESULT_PAGE_NUMBER"
  #define MAX_COUNT_PER_PAGE             "MAX_COUNT_PER_PAGE"
diff --git a/src/data-control-sql.c b/src/data-control-sql.c

index 477fcc19d9f8e4cf97347e0b6858a037fcf96e7d..b400068033e4242ae3861769cceffcd0c2e6db2d 100755 (executable)
--- a/src/data-control-sql.c
+++ b/src/data-control-sql.c
@@ -418,8 +418,6 @@ static int __recv_sql_select_process(bundle *kb, int fd, resultset_cursor *curso
                 goto out;
         }
  
-       cursor->resultset_col_count = column_count;
-       LOGI("column_count : %d", column_count);
         /* no data check. */
         if (column_count == DATACONTROL_RESULT_NO_DATA) {
                 LOGE("No result");
@@ -427,6 +425,15 @@ static int __recv_sql_select_process(bundle *kb, int fd, resultset_cursor *curso
                 return DATACONTROL_ERROR_NONE;
         }
  
+       if (column_count < 0 || column_name_len > MAX_COLUMN_COUNT) {
+               retval = DATACONTROL_ERROR_IO_ERROR;
+               LOGE("Invalid column_count %d", column_count);
+               goto out;
+       }
+
+       cursor->resultset_col_count = column_count;
+       LOGI("column_count : %d", column_count);
+
         if (write(result_fd, &column_count, sizeof(int)) == -1) {
                 LOGE("Writing a column_count to a file descriptor is failed. errno = %d", errno);
                 retval = DATACONTROL_ERROR_IO_ERROR;
author	Hyunho Kang <hhstark.kang@samsung.com>
	Tue, 13 Jun 2017 02:30:06 +0000 (11:30 +0900)
committer	Hyunho Kang <hhstark.kang@samsung.com>
	Tue, 13 Jun 2017 03:45:41 +0000 (03:45 +0000)
src/data-control-internal.h		patch \| blob \| history
src/data-control-provider.c		patch \| blob \| history
src/data-control-sql.c		patch \| blob \| history