From: Boram Park <boram1288.park@samsung.com>
Date: Thu, 14 Dec 2017 00:45:12 +0000 (+0900)
Subject: fix tained string issue
X-Git-Tag: accepted/tizen/unified/20171215.060624~3
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e71b628d13ebe00d834221671ad6959e62311e0c;p=platform%2Fcore%2Fuifw%2Flibtdm.git

fix tained string issue

Change-Id: I349b13d2d2731c69c4ee44dc6aef1c9613c00ff5
---

diff --git a/src/tdm.c b/src/tdm.c
index 955d5d5..4f8c253 100644
--- a/src/tdm.c
+++ b/src/tdm.c
@@ -862,20 +862,22 @@ static tdm_error
 _tdm_display_load_module(tdm_private_display *private_display)
 {
 	const char *module_name;
-	char module[TDM_NAME_LEN];
 	struct dirent **namelist;
-	int n;
+	int n, len;
 	tdm_error ret = 0;
 
 	module_name = getenv("TDM_MODULE");
 	if (!module_name)
 		module_name = TDM_DEFAULT_MODULE;
 
-	strncpy(module, module_name, TDM_NAME_LEN - 1);
-	module[TDM_NAME_LEN - 1] = '\0';
+	len = strlen(module_name);
+	if (len > TDM_NAME_LEN - 1) {
+		TDM_ERR("TDM_MODULE is too long\n");
+		return TDM_ERROR_OPERATION_FAILED;
+	}
 
 	/* load bufmgr priv from default lib */
-	ret = _tdm_display_load_module_with_file(private_display, (const char*)module);
+	ret = _tdm_display_load_module_with_file(private_display, module_name);
 	if (ret == TDM_ERROR_NONE)
 		return TDM_ERROR_NONE;
 
diff --git a/src/tdm_server.c b/src/tdm_server.c
index 3d9daf3..5f88332 100644
--- a/src/tdm_server.c
+++ b/src/tdm_server.c
@@ -874,7 +874,7 @@ _tdm_socket_init(tdm_private_loop *private_loop)
 {
 	const char *dir = NULL;
 	char socket_path[TDM_NAME_LEN * 2];
-	int ret = -1;
+	int ret = -1, len;
 	uid_t uid;
 	gid_t gid;
 
@@ -888,6 +888,12 @@ _tdm_socket_init(tdm_private_loop *private_loop)
 		/* LCOV_EXCL_STOP */
 	}
 
+	len = strlen(dir);
+	if (len > TDM_NAME_LEN - 1) {
+		TDM_ERR("XDG_RUNTIME_DIR is too long\n");
+		return;
+	}
+
 	strncpy(socket_path, dir, TDM_NAME_LEN - 1);
 	socket_path[TDM_NAME_LEN - 1] = '\0';