From: HyeKyoung Hwang Date: Tue, 11 Apr 2017 03:07:23 +0000 (+0900) Subject: Fix the Svace issue 18688,18689,66122,66188,66189,66190,66191,66192 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Ftizen_3.0;p=platform%2Fframework%2Fweb%2Fbrowser-provider.git Fix the Svace issue 18688,18689,66122,66188,66189,66190,66191,66192 [ Problem] There are Svace issue due to without checking its higher bound [ Solution] Checking the higher bound [ Verify ] Check the bookmark/hisotry/tab Change-Id: I02a5ab21e3f333e54ce955c789c2b482e2bd79b0 Signed-off-by: HyeKyoung Hwang --- diff --git a/common-adaptor/common-adaptor.c b/common-adaptor/common-adaptor.c index 95539d5..4916a79 100755 --- a/common-adaptor/common-adaptor.c +++ b/common-adaptor/common-adaptor.c @@ -445,7 +445,7 @@ int bp_common_adaptor_get_blob(const int sock, bp_command_fmt *cmd, BP_PRINT_ERROR(cmd->id, *errorcode); return -1; } - if (blob_length > 0) { + if (blob_length < BP_MAX_INT_COUNT && blob_length > 0) { blob_data = (unsigned char *)calloc(blob_length, sizeof(unsigned char)); if (blob_data == NULL) { @@ -542,7 +542,7 @@ int bp_common_adaptor_get_info_blob(int sock, unsigned char **value, { int length = 0; if ((bp_ipc_read_custom_type(sock, &length, - sizeof(int)) == 0) && (length > 0)) { + sizeof(int)) == 0) && (length > 0) &&(length < BP_MAX_INT_COUNT)) { int trans_way = 0; // 0:socket 1:shm if (bp_ipc_read_custom_type(sock, &trans_way, @@ -600,8 +600,7 @@ int bp_common_adaptor_get_blob_shm(const int sock, return -1; } - if (blob_length > 0) { - + if (blob_length < BP_MAX_INT_COUNT && blob_length > 0) { // read here what IPC should be used below from provider. int trans_way = 0; // 0:socket 1:shm trans_way = bp_adaptor_ipc_read_int(sock); @@ -632,12 +631,13 @@ int bp_common_adaptor_get_blob_shm(const int sock, *value = shm->mem; } } - - if ((blob_width = bp_adaptor_ipc_read_int(sock)) < 0 || - (blob_height = bp_adaptor_ipc_read_int(sock)) < 0) { - *errorcode = bp_ipc_check_stderr(BP_ERROR_IO_ERROR); - BP_PRINT_ERROR(cmd->id, *errorcode); - return -1; + blob_width = bp_adaptor_ipc_read_int(sock); + blob_height = bp_adaptor_ipc_read_int(sock); + if (blob_width < 0 || blob_width > BP_MAX_INT_COUNT + || blob_height < 0 || blob_height > BP_MAX_INT_COUNT ) { + *errorcode = bp_ipc_check_stderr(BP_ERROR_IO_ERROR); + BP_PRINT_ERROR(cmd->id, *errorcode); + return -1; } *length = blob_length; *width = blob_width; diff --git a/common-adaptor/include/common-adaptor.h b/common-adaptor/include/common-adaptor.h index f574eba..f87bd3e 100755 --- a/common-adaptor/include/common-adaptor.h +++ b/common-adaptor/include/common-adaptor.h @@ -106,6 +106,7 @@ int bp_common_adaptor_clear_read_buffer(int sock, size_t length); } while(0) #define BP_MAX_IDS_COUNT 512 +#define BP_MAX_INT_COUNT 2147483646 #define BP_CHECK_IPC_SOCK (g_adaptorinfo == NULL ? -1 : g_adaptorinfo->cmd_socket) diff --git a/provider/CMakeLists.txt b/provider/CMakeLists.txt old mode 100644 new mode 100755 index 2a55ca3..c2382e7 --- a/provider/CMakeLists.txt +++ b/provider/CMakeLists.txt @@ -40,6 +40,7 @@ ENDFOREACH(flag) INCLUDE_DIRECTORIES(${CMAKE_CURRENT_SOURCE_DIR}/include ${CMAKE_SOURCE_DIR}/history-adaptor/include ${CMAKE_SOURCE_DIR}/tab-adaptor/include + ${CMAKE_SOURCE_DIR}/common-adaptor/include ${CMAKE_SOURCE_DIR}/bookmark-adaptor/include) set(BP_LINK_LIBRARIES ${GLIB-2_LIBRARIES} diff --git a/provider/browser-provider-bookmarks.c b/provider/browser-provider-bookmarks.c index 4d7c2bb..4f6b5e7 100755 --- a/provider/browser-provider-bookmarks.c +++ b/provider/browser-provider-bookmarks.c @@ -30,6 +30,7 @@ #include "browser-provider-requests.h" #include "bookmark-adaptor.h" +#include "common-adaptor.h" static sqlite3 *g_db_handle = 0; static sqlite3_stmt *g_db_basic_get_info_stmt = NULL; @@ -322,7 +323,7 @@ static bp_error_defs __bp_bookmark_get_cond_timestamp_ids(int sock) bp_ipc_send_errorcode(sock, BP_ERROR_IO_ERROR); return BP_ERROR_IO_ERROR; } - if (timestamp_count > 0) { + if (timestamp_count < BP_MAX_INT_COUNT && timestamp_count > 0) { bp_bookmark_timestamp_fmt t_timestamps[timestamp_count]; int i = 0; for (; i < timestamp_count; i++) { diff --git a/provider/browser-provider-history.c b/provider/browser-provider-history.c index 8331ad6..00a08b5 100755 --- a/provider/browser-provider-history.c +++ b/provider/browser-provider-history.c @@ -30,6 +30,7 @@ #include "browser-provider-requests.h" #include "history-adaptor.h" +#include "common-adaptor.h" static sqlite3 *g_db_handle = 0; static sqlite3_stmt *g_db_basic_get_info_stmt = NULL; @@ -309,7 +310,7 @@ static bp_error_defs __bp_history_get_cond_timestamp_ids(int sock) bp_ipc_send_errorcode(sock, BP_ERROR_IO_ERROR); return BP_ERROR_IO_ERROR; } - if (timestamp_count > 0) { + if (timestamp_count < BP_MAX_INT_COUNT && timestamp_count > 0) { bp_history_timestamp_fmt t_timestamps[timestamp_count]; int i = 0; for (; i < timestamp_count; i++) { diff --git a/provider/browser-provider-requests.c b/provider/browser-provider-requests.c index 7051203..8079197 100755 --- a/provider/browser-provider-requests.c +++ b/provider/browser-provider-requests.c @@ -37,6 +37,7 @@ #include "browser-provider-db.h" #include "browser-provider-requests.h" #include "browser-provider-shm.h" +#include "common-adaptor.h" #define BP_PREFIX_URL_PROTOCOL "http\%://" #define BP_PREFIX_URL_WWW "http\%://www.\%" @@ -584,7 +585,7 @@ bp_error_defs bp_common_set_blob(sqlite3 *handle, bp_ipc_send_errorcode(sock, BP_ERROR_IO_ERROR); return BP_ERROR_IO_ERROR; } - if (blob_length > 0) { + if (blob_length < BP_MAX_INT_COUNT && blob_length > 0) { blob_data = (unsigned char *)calloc(blob_length, sizeof(unsigned char)); if (blob_data == NULL) { @@ -648,7 +649,7 @@ bp_error_defs bp_common_set_blob_with_size(sqlite3 *handle, bp_ipc_send_errorcode(sock, BP_ERROR_IO_ERROR); return BP_ERROR_IO_ERROR; } - if (blob_length > 0) { + if (blob_length < BP_MAX_INT_COUNT && blob_length > 0) { if (bp_ipc_read_custom_type(sock, &width, sizeof(int)) < 0) { TRACE_ERROR("[ERROR][%d] SET_BLOB [IO_ERROR]", id); bp_ipc_send_errorcode(sock, BP_ERROR_IO_ERROR); @@ -874,8 +875,7 @@ bp_error_defs bp_common_set_blob_shm(sqlite3 *handle, bp_ipc_send_errorcode(sock, BP_ERROR_IO_ERROR); return BP_ERROR_IO_ERROR; } - if (blob_length > 0) { - + if ( blob_length < BP_MAX_INT_COUNT && blob_length > 0) { unsigned char *blob_buffer = NULL; unsigned char *blob_data = NULL; // read here what IPC should be used below from provider.