From 0a9dfff66ff265b19f5bd51a76eb2abb8af8363b Mon Sep 17 00:00:00 2001
From: SangYoun Kwak <sy.kwak@samsung.com>
Date: Thu, 20 Jan 2022 14:14:21 +0900
Subject: [PATCH] Check tmp buffer overflow

Change-Id: I5de5195293f72444d91d7b8f89f72bfe3ac5301e
Signed-off-by: SangYoun Kwak <sy.kwak@samsung.com>
---
 src/libgdbus/libgdbus.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/libgdbus/libgdbus.c b/src/libgdbus/libgdbus.c
index 9eaa937..917b98f 100644
--- a/src/libgdbus/libgdbus.c
+++ b/src/libgdbus/libgdbus.c
@@ -802,6 +802,11 @@ static int _get_xml_from_interfaces(char **xml, const dbus_interface_s *interfac
 				ei = _check_brace(pmethod->signature_in + m + 1);
 				if (ei > 0) {
 					char tmp[128] = {0,};
+					if(ei + 1 > sizeof(tmp) - 1) {
+						_E("tmp buffer for signature_in overflow. sizeof(tmp)=%lu ei=%d\n", sizeof(tmp), ei);
+						free(buf);
+						return -1;
+					}
 					strncpy(tmp, pmethod->signature_in + m, ei + 1);
 					nwrite += snprintf(buf + nwrite, buf_cal_free_space(buf_len, nwrite), "\t\t\t""<arg type='%s' name='arg%d' direction='in'/>""\n", tmp, m);
 					m += ei;
@@ -825,6 +830,11 @@ static int _get_xml_from_interfaces(char **xml, const dbus_interface_s *interfac
 				ei = _check_brace(pmethod->signature_out + m + 1);
 				if (ei > 0) {
 					char tmp[128] = {0,};
+					if(ei + 1 > sizeof(tmp) - 1) {
+						_E("tmp buffer for signature_out overflow. sizeof(tmp)=%lu ei=%d\n", sizeof(tmp), ei);
+						free(buf);
+						return -1;
+					}
 					strncpy(tmp, pmethod->signature_out + m, ei + 1);
 					nwrite += snprintf(buf + nwrite, buf_cal_free_space(buf_len, nwrite), "\t\t\t""<arg type='%s' name='arg%d' direction='out'/>""\n", tmp, m);
 					m += ei;
-- 
2.7.4