From: Tomasz Bocheński <t.bochenski@partner.samsung.com>
Date: Tue, 13 Mar 2018 17:42:06 +0000 (+0100)
Subject: [base-utils][i18ninfo] Overflow bug fixed.
X-Git-Tag: submit/tizen/20180322.052043^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0bfc844d355b54245f3a58ff27b85389c5cd008e;p=platform%2Fcore%2Fapi%2Fbase-utils.git

[base-utils][i18ninfo] Overflow bug fixed.

Change-Id: I7dfd767da7c51653ef98c78a2bba4980eb9d86bd
Signed-off-by: Tomasz Bocheński <t.bochenski@partner.samsung.com>
---

diff --git a/i18ninfo/i18ninfo.cpp b/i18ninfo/i18ninfo.cpp
index f51f57b..bfd0d35 100644
--- a/i18ninfo/i18ninfo.cpp
+++ b/i18ninfo/i18ninfo.cpp
@@ -1133,7 +1133,7 @@ i18n_uchar *_convert_unicode_numeric_values(const i18n_uchar *input, int32_t len
 {
 	if (length <= 0)
 		return NULL;
-	int32_t output_length = 0;
+	int32_t output_length = 1;
 
 	double *values = (double *) malloc(length * sizeof(double));
 	int max_value_length = 0;
@@ -1159,8 +1159,12 @@ i18n_uchar *_convert_unicode_numeric_values(const i18n_uchar *input, int32_t len
 	if (!INT_ADD_RANGE_OVERFLOW(max_value_length, 1))
 		max_value_length += 1;
 
-	i18n_uchar *output = (i18n_uchar *) malloc((output_length + 1) * sizeof(input[0]));
-	i18n_ustring_mem_set(output, '\0', output_length + 1);
+	i18n_uchar *output = (i18n_uchar *) calloc(output_length, sizeof(input[0]));
+	if (output == NULL) {
+		free(values);
+		return NULL;
+	}
+	i18n_ustring_mem_set(output, '\0', output_length);
 	char *tmp = (char *) malloc((max_value_length) * sizeof(input[0]));
 	i18n_uchar *c = (i18n_uchar *) malloc((max_value_length) * sizeof(input[0]));
 
@@ -1172,7 +1176,6 @@ i18n_uchar *_convert_unicode_numeric_values(const i18n_uchar *input, int32_t len
 			if (NULL == tmp) {
 				free(values);
 				free(c);
-				free(tmp);
 				free(output);
 				return NULL;
 			}
@@ -1204,13 +1207,17 @@ static int __convert_number(char *custom_number)
 		printf(" Input number : %s\n", input_number);
 		number_to_convert =
 		    (i18n_uchar *) malloc(sizeof(i18n_uchar) * (strlen(input_number) + 1));
-		if (NULL == number_to_convert) {
-			free(number_to_convert);
+		if (NULL == number_to_convert)
 			return I18N_ERROR_OUT_OF_MEMORY;
-		}
+
 		i18n_ustring_copy_ua_n(number_to_convert, input_number, BUF_SIZE);
 
 		i18n_uchar *str = _convert_unicode_numeric_values(number_to_convert, i18n_ustring_get_length(number_to_convert));
+		if (NULL == str) {
+			printf("\nError: Out of memory.\n");
+			free(number_to_convert);
+			return 0;
+		}
 		char p_string[BUF_SIZE];
 		i18n_ustring_copy_au_n(p_string, str, BUF_SIZE);
 		printf(" Convert number : %s\n", p_string);
@@ -1225,6 +1232,11 @@ static int __convert_number(char *custom_number)
 		i18n_ustring_copy_ua(number_to_convert, input_number);
 
 		i18n_uchar *str = _convert_unicode_numeric_values(number_to_convert, i18n_ustring_get_length(number_to_convert));
+		if (NULL == str) {
+			printf("\nError: Out of memory.\n");
+			free(number_to_convert);
+			return 0;
+		}
 		char p_string[BUF_SIZE];
 		i18n_ustring_copy_au_n(p_string, str, BUF_SIZE);
 		printf(" Convert number : %s\n", p_string);