From: Dongwoo Lee <dwoo08.lee@samsung.com>
Date: Thu, 25 Aug 2022 11:07:29 +0000 (+0900)
Subject: hal-backend-power: Fix possible vulnerabilities
X-Git-Tag: accepted/tizen/7.0/unified/20221110.063725^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=bc3949a563eb8575d9ad5eeffa68fea68ac944a2;p=platform%2Fhal%2Fbackend%2Fvim3%2Fpower-vim3.git

hal-backend-power: Fix possible vulnerabilities

Change-Id: I770dc6986b618236372ce72f823a65ff64bf2f5c
Signed-off-by: Dongwoo Lee <dwoo08.lee@samsung.com>
---

diff --git a/src/hal-backend-power.c b/src/hal-backend-power.c
index 2a9bd7f..8de87a6 100644
--- a/src/hal-backend-power.c
+++ b/src/hal-backend-power.c
@@ -20,7 +20,6 @@
 #include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
 #include <hal/hal-power-interface.h>
 
@@ -366,14 +365,17 @@ static struct pass_resource_tmu_ops tmu_ops = {
 static int bus_dvfs_get_curr_freq(char *res_name)
 {
 	char buf[BUFF_MAX + 1];
-	char unit[BUFF_MAX + 1];
 	int ret, freq;
 
 	ret = sysfs_read_str("/sys/class/aml_ddr/freq", buf, BUFF_MAX);
 	if (ret < 0)
 		return ret;
 
-	sscanf(buf, "%d %s", &freq, unit);
+	if (sscanf(buf, "%d %*s", &freq) != 1)
+		return -EINVAL;
+
+	if (freq < 0 || freq > INT_MAX/1000)
+		return -EINVAL;
 
 	return (freq * 1000);
 }
@@ -386,13 +388,17 @@ static int gpu_freq_table[] = {
 	800000,
 };
 
+#define ARRAY_LENGTH(array) (sizeof((array))/sizeof((array)[0]))
+
 static int gpu_dvfs_get_min_freq(char *res_name)
 {
 	int freq, ret;
 
 	ret = sysfs_read_int("/sys/class/mpgpu/min_freq", &freq);
-	if (ret < 0)
-		return ret;
+
+	if (freq < 0 || freq >= ARRAY_LENGTH(gpu_freq_table))
+		return -EINVAL;
+
 	return (ret < 0) ? ret : (gpu_freq_table[freq]);
 }
 
@@ -401,8 +407,9 @@ static int gpu_dvfs_get_max_freq(char *res_name)
 	int freq, ret;
 
 	ret = sysfs_read_int("/sys/class/mpgpu/max_freq", &freq);
-	if (ret < 0)
-		return ret;
+	if (freq < 0 || freq >= ARRAY_LENGTH(gpu_freq_table))
+		return -EINVAL;
+
 	return (ret < 0) ? ret : gpu_freq_table[freq];
 }
 
@@ -411,8 +418,7 @@ static int gpu_dvfs_get_curr_freq(char *res_name)
 	int freq, ret;
 
 	ret = sysfs_read_int("/sys/class/mpgpu/cur_freq", &freq);
-	if (ret < 0)
-		return ret;
+
 	return (ret < 0) ? ret : (freq * 1000);
 }