From: Jihoon Jung <jh8801.jung@samsung.com>
Date: Wed, 30 Oct 2019 13:40:40 +0000 (+0900)
Subject: Apply CVE patch
X-Git-Tag: accepted/tizen/unified/20191101.042019^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=39955fd6d8817eb8548813b96570d277387f0e7e;p=platform%2Fupstream%2Flibmtp.git

Apply CVE patch

- CVE-2017-9831, CVE-2017-9832 : Integer Overflow

Change-Id: I2538cb1ce822820ad675d5af681b0170354ae6dc
Signed-off-by: Jihoon Jung <jh8801.jung@samsung.com>
---

diff --git a/src/ptp-pack.c b/src/ptp-pack.c
index 877a1ce..51ef0c5 100755
--- a/src/ptp-pack.c
+++ b/src/ptp-pack.c
@@ -1255,6 +1255,12 @@ ptp_unpack_OPL (PTPParams *params, unsigned char* data, MTPProperties **pprops,
 		*pprops = NULL;
 		return 0;
 	}
+
+	if (prop_count >= INT_MAX/sizeof(MTPProperties)) {
+		ptp_debug (params ,"prop_count %d is too large", prop_count);
+		return 0;
+	}
+
 	ptp_debug (params ,"Unpacking MTP OPL, size %d (prop_count %d)", len, prop_count);
 	data += sizeof(uint32_t);
 	len -= sizeof(uint32_t);
@@ -1546,14 +1552,19 @@ ptp_unpack_EOS_CustomFuncEx (PTPParams* params, unsigned char** data )
 {
 	uint32_t s = dtoh32a( *data );
 	uint32_t n = s/4, i;
-	char* str = (char*)malloc( s*2+s/4+1 ); /* n is size in uint32, maximum %x len is 8 chars and \0*/
+	char	*str, *p;
+
+	if (s > 1024) {
+		ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s);
+		return strdup("bad length");
+	}
+	str = (char*)malloc( s*2+s/4+1 ); /* n is size in uint32, maximum %x len is 8 chars and \0*/
 	if (!str)
-		return str;
-	char* p = str;
+		return strdup("malloc failed");
 
+	p = str;
 	for (i=0; i < n; ++i)
 		p += sprintf(p, "%x,", dtoh32a( *data + 4*i ));
-
 	return str;
 }