From: Ji-hoon Lee <dalton.lee@samsung.com>
Date: Tue, 27 Jul 2021 05:27:43 +0000 (+0900)
Subject: Prevent buffer overflow in case the audio data size is too large
X-Git-Tag: submit/tizen/20210803.074409~2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=7e347e0579ae211fd91fef62b7ec814da6c3b376;p=platform%2Fcore%2Fuifw%2Fmulti-assistant-service.git

Prevent buffer overflow in case the audio data size is too large

Change-Id: Ibfe33f6baec68667fe5f82371d5374a9889b36e1
---

diff --git a/src/service_ipc_dbus.cpp b/src/service_ipc_dbus.cpp
index a0973f6..5799f88 100644
--- a/src/service_ipc_dbus.cpp
+++ b/src/service_ipc_dbus.cpp
@@ -239,12 +239,34 @@ int CServiceIpcDbus::send_streaming_audio_data(pid_t pid, int event, void* data,
 
 	unsigned char buffer[STREAMING_BUFFER_SIZE];
 	size_t total_size = 0;
-	memcpy(buffer, &header, sizeof(header));
-	total_size += sizeof(header);
-	memcpy(buffer + total_size, &audio_data_header, sizeof(audio_data_header));
-	total_size += sizeof(audio_data_header);
-	memcpy(buffer + total_size, data, data_size);
-	total_size += data_size;
+	size_t new_size = 0;
+
+	new_size = sizeof(header);
+	if (new_size + total_size <= STREAMING_BUFFER_SIZE) {
+		memcpy(buffer, &header, new_size);
+		total_size += new_size;
+	} else {
+		MAS_LOGE("Buffer overflow : %zu %zu", new_size, total_size);
+		return -1;
+	}
+
+	new_size = sizeof(audio_data_header);
+	if (new_size + total_size <= STREAMING_BUFFER_SIZE) {
+		memcpy(buffer + total_size, &audio_data_header, new_size);
+		total_size += new_size;
+	} else {
+		MAS_LOGE("Buffer overflow : %zu %zu", new_size, total_size);
+		return -1;
+	}
+
+	new_size = data_size;
+	if (new_size + total_size <= STREAMING_BUFFER_SIZE) {
+		memcpy(buffer + total_size, data, new_size);
+		total_size += new_size;
+	} else {
+		MAS_LOGE("Buffer overflow : %zu %zu", new_size, total_size);
+		return -1;
+	}
 
 	const long long minimum_flush_interval = 20;
 	static long long last_flush_time = get_current_milliseconds_after_epoch();
@@ -309,8 +331,12 @@ int CServiceIpcDbus::send_streaming_audio_data(pid_t pid, int event, void* data,
 			MAS_LOGE("Bundle creation failed!!!");
 		}
 	} else {
-		memcpy(pending_buffer + pending_buffer_size, buffer, total_size);
-		pending_buffer_size += total_size;
+		if (pending_buffer_size + total_size <= STREAMING_BUFFER_SIZE) {
+			memcpy(pending_buffer + pending_buffer_size, buffer, total_size);
+			pending_buffer_size += total_size;
+		} else {
+			MAS_LOGE("Buffer overflow : %zu %zu", pending_buffer_size, total_size);
+		}
 	}
 	return 0;
 }