From: Youngbok Shin <youngb.shin@samsung.com>
Date: Thu, 25 May 2017 07:59:41 +0000 (+0900)
Subject: rotary_selector: fix string overflow, nonterminated string issues for strncat
X-Git-Tag: submit/tizen/20170526.054713~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1cab777b8c443682e443eb94b1f2ce52ef908ee4;p=platform%2Fcore%2Fuifw%2Fefl-ext.git

rotary_selector: fix string overflow, nonterminated string issues for strncat

Change-Id: Icb2af35bc510f577a9979acea97ea2d1ec71b53c
---

diff --git a/src/wearable/efl_extension_rotary_selector.c b/src/wearable/efl_extension_rotary_selector.c
index ae40e92..fea3f51 100644
--- a/src/wearable/efl_extension_rotary_selector.c
+++ b/src/wearable/efl_extension_rotary_selector.c
@@ -2861,6 +2861,7 @@ _accessibility_event_area_highlighted_cb(void *data, Evas_Object *obj, Elm_Acces
    int last_index = 0;
    int changed_list = 0;
    Eina_Bool ret = EINA_FALSE;
+   int limit = 0;
 
    if (rsd->current_page == 0)
         last_index = _ROTARY_SELECTOR_PAGE_ITEM_MAX - 1;
@@ -2914,16 +2915,26 @@ _accessibility_event_area_highlighted_cb(void *data, Evas_Object *obj, Elm_Acces
                           const char *buf_name;
                           buf_name = elm_atspi_accessible_name_get(rsd->event_area_access_object);
                           if(buf_name)
-                            strncat(buf, buf_name, strlen(buf_name));
+                            {
+                               limit = sizeof(buf) - strlen(buf) - 1;
+                               if (limit > 0)
+                                 strncat(buf, buf_name, limit);
+                            }
                        }
                   }
                 if(type & ELM_ACCESSIBLE_READING_INFO_TYPE_DESCRIPTION)
                   {
-                     strncat(buf, " ", strlen(" "));
+                     limit = sizeof(buf) - strlen(buf) - 1;
+                     if (limit > 0)
+                       strncat(buf, " ", limit);
                      const char *buf_desc;
                      buf_desc = elm_atspi_accessible_description_get(rsd->event_area_access_object);
                      if(buf_desc)
-                       strncat(buf, buf_desc, strlen(buf_desc));
+                       {
+                          limit = sizeof(buf) - strlen(buf) - 1;
+                          if (limit > 0)
+                            strncat(buf, buf_desc, limit);
+                       }
                   }
                 if(strcmp(buf,""))
                   elm_atspi_bridge_utils_say(buf, EINA_TRUE, NULL, NULL);
@@ -3192,18 +3203,29 @@ _accessibility_description_set_cb(void *data, Evas_Object *obj)
    Eext_Rotary_Selector_Data *rsd = (Eext_Rotary_Selector_Data *)data;
    char buf[255] = "";
    char buf_page[255] = "";
+   const char *tmp;
+   int limit = 0;
 
    bindtextdomain (PACKAGE, LOCALE_DIR);
 
    if (rsd->is_read_description)
      {
         snprintf(buf, sizeof(buf), _("WDS_TTS_TBBODY_ROTATE_BEZEL_TO_NAVIGATE_ITEMS"));
-        strncat(buf, " ", strlen(" "));
+        limit = sizeof(buf) - strlen(buf) - 1;
+        if (limit > 0)
+          strncat(buf, " ", limit);
      }
    else
      {
+        tmp = _("IDS_BR_BODY_PAGE");
         snprintf(buf, sizeof(buf), _("IDS_KA_HEADER_PD_OF_PD"), rsd->reading_page_number + 1, ((rsd->item_count - 1) / _ROTARY_SELECTOR_PAGE_ITEM_MAX) + 1);
-        strcat(buf, _("IDS_BR_BODY_PAGE"));
+
+        if (tmp)
+          {
+             limit = sizeof(buf) - strlen(buf) - 1;
+             if (limit > 0)
+               strncat(buf, tmp, limit);
+          }
      }
 
    return strdup(buf);