From 0bfc844d355b54245f3a58ff27b85389c5cd008e Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tomasz=20Boche=C5=84ski?= <t.bochenski@partner.samsung.com>
Date: Tue, 13 Mar 2018 18:42:06 +0100
Subject: [PATCH] [base-utils][i18ninfo] Overflow bug fixed.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Change-Id: I7dfd767da7c51653ef98c78a2bba4980eb9d86bd
Signed-off-by: Tomasz BocheÅski <t.bochenski@partner.samsung.com>
---
 i18ninfo/i18ninfo.cpp | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/i18ninfo/i18ninfo.cpp b/i18ninfo/i18ninfo.cpp
index f51f57b..bfd0d35 100644
--- a/i18ninfo/i18ninfo.cpp
+++ b/i18ninfo/i18ninfo.cpp
@@ -1133,7 +1133,7 @@ i18n_uchar *_convert_unicode_numeric_values(const i18n_uchar *input, int32_t len
 {
 	if (length <= 0)
 		return NULL;
-	int32_t output_length = 0;
+	int32_t output_length = 1;
 
 	double *values = (double *) malloc(length * sizeof(double));
 	int max_value_length = 0;
@@ -1159,8 +1159,12 @@ i18n_uchar *_convert_unicode_numeric_values(const i18n_uchar *input, int32_t len
 	if (!INT_ADD_RANGE_OVERFLOW(max_value_length, 1))
 		max_value_length += 1;
 
-	i18n_uchar *output = (i18n_uchar *) malloc((output_length + 1) * sizeof(input[0]));
-	i18n_ustring_mem_set(output, '\0', output_length + 1);
+	i18n_uchar *output = (i18n_uchar *) calloc(output_length, sizeof(input[0]));
+	if (output == NULL) {
+		free(values);
+		return NULL;
+	}
+	i18n_ustring_mem_set(output, '\0', output_length);
 	char *tmp = (char *) malloc((max_value_length) * sizeof(input[0]));
 	i18n_uchar *c = (i18n_uchar *) malloc((max_value_length) * sizeof(input[0]));
 
@@ -1172,7 +1176,6 @@ i18n_uchar *_convert_unicode_numeric_values(const i18n_uchar *input, int32_t len
 			if (NULL == tmp) {
 				free(values);
 				free(c);
-				free(tmp);
 				free(output);
 				return NULL;
 			}
@@ -1204,13 +1207,17 @@ static int __convert_number(char *custom_number)
 		printf(" Input number : %s\n", input_number);
 		number_to_convert =
 		    (i18n_uchar *) malloc(sizeof(i18n_uchar) * (strlen(input_number) + 1));
-		if (NULL == number_to_convert) {
-			free(number_to_convert);
+		if (NULL == number_to_convert)
 			return I18N_ERROR_OUT_OF_MEMORY;
-		}
+
 		i18n_ustring_copy_ua_n(number_to_convert, input_number, BUF_SIZE);
 
 		i18n_uchar *str = _convert_unicode_numeric_values(number_to_convert, i18n_ustring_get_length(number_to_convert));
+		if (NULL == str) {
+			printf("\nError: Out of memory.\n");
+			free(number_to_convert);
+			return 0;
+		}
 		char p_string[BUF_SIZE];
 		i18n_ustring_copy_au_n(p_string, str, BUF_SIZE);
 		printf(" Convert number : %s\n", p_string);
@@ -1225,6 +1232,11 @@ static int __convert_number(char *custom_number)
 		i18n_ustring_copy_ua(number_to_convert, input_number);
 
 		i18n_uchar *str = _convert_unicode_numeric_values(number_to_convert, i18n_ustring_get_length(number_to_convert));
+		if (NULL == str) {
+			printf("\nError: Out of memory.\n");
+			free(number_to_convert);
+			return 0;
+		}
 		char p_string[BUF_SIZE];
 		i18n_ustring_copy_au_n(p_string, str, BUF_SIZE);
 		printf(" Convert number : %s\n", p_string);
-- 
2.7.4