Prevent buffer overflow on reading value

Change-Id: I4a6d5abce72c4f2165a0d190068ef75157cf4c35
Signed-off-by: Kichan Kwon <k_c.kwon@samsung.com>

diff --git a/src/init_db/system_info_db_init.c b/src/init_db/system_info_db_init.c
index 7e62ac2..b4efa8a 100644 (file)
--- a/src/init_db/system_info_db_init.c
+++ b/src/init_db/system_info_db_init.c
@@ -175,6 +175,7 @@ static int db_get_value(const char *db_path, char *tag, char *name, char *type,
        char key_internal[KEY_MAX];
        size_t key_internal_len;
        char buf[PATH_MAX];
+       size_t value_internal_len;
        char *ptr;
        FILE *fp = NULL;
 
@@ -196,7 +197,9 @@ static int db_get_value(const char *db_path, char *tag, char *name, char *type,
        key_internal_len = strlen(key_internal);
        while ((ptr = fgets(buf, sizeof(buf), fp))) {
                if (!strncmp(buf, key_internal, key_internal_len) && buf[key_internal_len] == ' ') {
-                       sscanf(buf, "%*s %[^\n]s", value);
+                       value_internal_len = strcspn(buf + key_internal_len + 1, "\n") + 1;
+                       snprintf(value, val_len < value_internal_len ? val_len : value_internal_len,
+                                       "%s", buf + key_internal_len + 1);
                        break;
                }
        }
@@ -217,7 +220,7 @@ static int db_set_value_specific_runtime(const char *db_path, char *tag, char *n
        char value_intg[LANG_MAX + 1] = {0};
        int ret;
 
-       ret = db_get_value(db_path, tag, name, type, value_intg, LANG_MAX);
+       ret = db_get_value(db_path, tag, name, type, value_intg, LANG_MAX + 1);
        if (ret != 0)
                return ret;
 

diff --git a/src/system_info.c b/src/system_info.c
index 4522e09..4a95b72 100644 (file)
--- a/src/system_info.c
+++ b/src/system_info.c
@@ -78,6 +78,7 @@ static int db_get_value(enum tag_type tag, const char *key,
        char key_internal[KEY_MAX];
        size_t key_internal_len;
        char buf[PATH_MAX];     // buffer size should be larger than KEY_MAX
+       size_t value_internal_len;
        FILE *fp = NULL;
        int ret;
        char *tag_s;
@@ -132,7 +133,9 @@ static int db_get_value(enum tag_type tag, const char *key,
        key_internal_len = strlen(key_internal);
        while ((temp = fgets(buf, sizeof(buf), fp))) {
                if (!strncmp(buf, key_internal, key_internal_len) && buf[key_internal_len] == ' ') {
-                       sscanf(buf, "%*s %[^\n]s", value);
+                       value_internal_len = strcspn(buf + key_internal_len + 1, "\n") + 1;
+                       snprintf(value, len < value_internal_len ? len : value_internal_len,
+                                       "%s", buf + key_internal_len + 1);
                        break;
                }
        }