From: Hoyub Lee <hoyub.lee@samsung.com>
Date: Mon, 13 Feb 2017 11:26:36 +0000 (+0900)
Subject: pepper: Fix possible integer overflow
X-Git-Tag: submit/tizen/20170215.123502^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=85446841067dfe230fa37d4e4f9a718ac1beafaa;p=platform%2Fcore%2Fuifw%2Fpepper.git

pepper: Fix possible integer overflow

Change-Id: Ib0eca42f1d3c16521a9309e2c584b44a994fa279
Signed-off-by: Hoyub Lee <hoyub.lee@samsung.com>
---

diff --git a/src/lib/pepper/compositor.c b/src/lib/pepper/compositor.c
index c85530c..f5eba48 100644
--- a/src/lib/pepper/compositor.c
+++ b/src/lib/pepper/compositor.c
@@ -96,6 +96,7 @@ compositor_bind_socket(pepper_compositor_t *compositor, int socket_fd,
 					   const char *name)
 {
 	struct stat buf;
+	int name_length;
 	socklen_t size, name_size;
 	const char *runtime_dir;
 	long flags;
@@ -117,9 +118,15 @@ compositor_bind_socket(pepper_compositor_t *compositor, int socket_fd,
 	}
 
 	compositor->addr.sun_family = AF_LOCAL;
-	name_size = snprintf(compositor->addr.sun_path,
+
+	name_length = snprintf(compositor->addr.sun_path,
 						 sizeof compositor->addr.sun_path,
-						 "%s/%s", runtime_dir, name) + 1;
+						 "%s/%s", runtime_dir, name);
+
+	if (name_length < 0 || name_length == INT32_MAX)
+		goto err_addr;
+
+	name_size = name_length + 1;
 	if (name_size > (int)sizeof(compositor->addr.sun_path)) {
 		PEPPER_ERROR("socket path \"%s/%s\" plus null terminator"
 					 " exceeds 108 bytes\n", runtime_dir, name);