Fix potential buffer overflow defect

Change-Id: Ibdaa1cd989e6f2e8f50c1d46f42c980fb75191e2

diff --git a/ism/modules/panelagent/wayland/isf_wsc_context.h b/ism/modules/panelagent/wayland/isf_wsc_context.h
index 4ff2119e8a9f8c378e797a8dceb94b62465e9b37..fda65dc49cc3a65606ea7bd48bbf61966826cf63 100644 (file)
--- a/ism/modules/panelagent/wayland/isf_wsc_context.h
+++ b/ism/modules/panelagent/wayland/isf_wsc_context.h
@@ -153,8 +153,8 @@ int get_panel_client_id ();
 
 WSCContextISF *get_focused_ic ();
 
-void context_scim_imdata_get (WSCContextISF *wsc_ctx, void* data, int* length);
-void context_scim_mime_type_get (WSCContextISF *wsc_ctx, const char *mime_types);
+void context_scim_imdata_get (WSCContextISF *wsc_ctx, void* data, int* length, int max_len);
+void context_scim_mime_type_get (WSCContextISF *wsc_ctx, char *mime_types, int max_len);
 
 void isf_wsc_context_add (WSCContextISF *wsc_ctx);
 void isf_wsc_context_del (WSCContextISF *wsc_ctx);

diff --git a/ism/modules/panelagent/wayland/isf_wsc_control_ui.cpp b/ism/modules/panelagent/wayland/isf_wsc_control_ui.cpp
index 40b3e6e527e253c9325aec0cb14e069b37aee38f..2ea5b1495dd9683f10c41da72be3dd3381eed67d 100644 (file)
--- a/ism/modules/panelagent/wayland/isf_wsc_control_ui.cpp
+++ b/ism/modules/panelagent/wayland/isf_wsc_control_ui.cpp
@@ -98,10 +98,13 @@ void isf_wsc_input_panel_shutdown (void)
 
 void isf_wsc_context_input_panel_show (WSCContextISF* wsc_ctx)
 {
+    const int MAX_IMDATA_LEN = 1024;
+    const int MAX_MIME_TYPE_LEN = 1024;
+
     int length = -1;
     void *packet = NULL;
-    char imdata[1024] = {0};
-    char mime_type[1024] = {0};
+    char imdata[MAX_IMDATA_LEN] = {0};
+    char mime_types[MAX_MIME_TYPE_LEN] = {0};
     bool input_panel_show = false;
     input_panel_ctx = wsc_ctx;
     Ise_Context iseContext;
@@ -146,11 +149,12 @@ void isf_wsc_context_input_panel_show (WSCContextISF* wsc_ctx)
     /* set client window */
     iseContext.client_window = 0;
 
-    /* set the size of imdata */
-    context_scim_imdata_get (wsc_ctx, (void *)imdata, &iseContext.imdata_size);
+    /* set the imdata and its length */
+    context_scim_imdata_get (wsc_ctx, (void *)imdata, &iseContext.imdata_size, MAX_IMDATA_LEN);
 
-    /* set the length of mime type */
-    context_scim_mime_type_get (wsc_ctx, mime_type);
+    /* set the mime type */
+    context_scim_mime_type_get (wsc_ctx, mime_types, MAX_MIME_TYPE_LEN - 1);
+    mime_types[MAX_MIME_TYPE_LEN - 1] = '\0';
 
     /* set the cursor position of the editable widget */
     wsc_context_surrounding_get (wsc_ctx, NULL, &iseContext.cursor_pos);
@@ -168,10 +172,17 @@ void isf_wsc_context_input_panel_show (WSCContextISF* wsc_ctx)
     LOGD ("input hint : %#x\n", iseContext.input_hint);
     LOGD ("bidi direction : %d\n", iseContext.bidi_direction);
 
+    int mime_type_size = strlen (mime_types);
+    if (mime_type_size > 0) {
+        /* Make sure the mime_types terminates with NULL */
+        mime_types[mime_type_size] = '\0';
+        mime_type_size += 1;
+    }
+
     /* calculate packet size */
     length = sizeof (iseContext);
     length += iseContext.imdata_size;
-    length += strlen (mime_type);
+    length += mime_type_size;
 
     /* create packet */
     packet = calloc (1, length);
@@ -179,8 +190,10 @@ void isf_wsc_context_input_panel_show (WSCContextISF* wsc_ctx)
         return;
 
     memcpy (packet, (void *)&iseContext, sizeof (iseContext));
-    memcpy ((void *)((char *)packet + sizeof (iseContext)), (void *)imdata, iseContext.imdata_size);
-    memcpy ((void *)((char *)packet + sizeof (iseContext) + iseContext.imdata_size), mime_type, strlen (mime_type));
+    memcpy ((void *)((char *)packet + sizeof (iseContext)),
+            (void *)imdata, iseContext.imdata_size);
+    memcpy ((void *)((char *)packet + sizeof (iseContext) + iseContext.imdata_size),
+            (void *)mime_types, mime_type_size);
 
     int context_id = _get_context_id (wsc_ctx);
 

diff --git a/ism/modules/panelagent/wayland/wayland_panel_agent_module.cpp b/ism/modules/panelagent/wayland/wayland_panel_agent_module.cpp
index 676c12f90c3955e355b44adbcb2b30c73452fa2f..2abd7c7404efb5ab65af53f069fb27ffb59002fb 100644 (file)
--- a/ism/modules/panelagent/wayland/wayland_panel_agent_module.cpp
+++ b/ism/modules/panelagent/wayland/wayland_panel_agent_module.cpp
@@ -1036,7 +1036,7 @@ find_ic (int id)
 }
 
 static bool
-check_valid_ic (WSCContextISF * ic)
+check_valid_ic (WSCContextISF *ic)
 {
     if (ic && ic->impl && ic->ctx)
         return true;
@@ -1044,31 +1044,42 @@ check_valid_ic (WSCContextISF * ic)
         return false;
 }
 
-void context_scim_imdata_get (WSCContextISF *wsc_ctx, void* data, int* length)
+void context_scim_imdata_get (WSCContextISF *wsc_ctx, void *data, int *length, int max_len)
 {
     WSCContextISF* context_scim = wsc_ctx;
     LOGD ("");
     SCIM_DEBUG_FRONTEND (1) << __FUNCTION__ << "...\n";
 
-    if (context_scim && context_scim->impl) {
-        if (data && context_scim->impl->imdata)
-            memcpy (data, context_scim->impl->imdata, context_scim->impl->imdata_size);
+    if (length)
+        *length = 0;
+
+    if (context_scim && context_scim->impl && context_scim->impl->imdata && data && length) {
+        if (max_len > context_scim->impl->imdata_size)
+            max_len = context_scim->impl->imdata_size;
+
+        memcpy (data, context_scim->impl->imdata, max_len);
 
-        if (length)
-            *length = context_scim->impl->imdata_size;
+        *length = max_len;
     }
 }
 
-void context_scim_mime_type_get (WSCContextISF *wsc_ctx, const char *mime_type)
+void context_scim_mime_type_get (WSCContextISF *wsc_ctx, char *mime_types, int max_len)
 {
     WSCContextISF* context_scim = wsc_ctx;
     LOGD ("");
     SCIM_DEBUG_FRONTEND (1) << __FUNCTION__ << "...\n";
 
-    if (context_scim && context_scim->impl) {
-        if (!(context_scim->impl->mime_type).empty ())
-            memcpy ((void *)mime_type ,(context_scim->impl->mime_type).c_str (),
-                strlen ((context_scim->impl->mime_type).c_str ()));
+    if (mime_types && max_len > 0) {
+        /* Initialize mime_types to have an empty string */
+        mime_types[0] = '\0';
+        if (context_scim && context_scim->impl) {
+            if (!(context_scim->impl->mime_type).empty ()) {
+                int length = (context_scim->impl->mime_type).length ();
+                if (max_len > length)
+                    max_len = length;
+                memcpy ((void*)mime_types, (context_scim->impl->mime_type).c_str (), max_len);
+            }
+        }
     }
 }
 
@@ -1102,7 +1113,7 @@ change_block_status_timer_cb (void *data)
 }
 
 static void
-check_input_resource (WSCContextISF* wsc_ctx, Input_Resource input_res)
+check_input_resource (WSCContextISF *wsc_ctx, Input_Resource input_res)
 {
     WSCContextISF* context_scim = wsc_ctx;
     LOGD ("Input resource : %d\n", input_res);