From 1c7ee94810134a4098d8dca1a7934ae9603ff18f Mon Sep 17 00:00:00 2001
From: SangYoun Kwak <sy.kwak@samsung.com>
Date: Wed, 22 Jan 2025 20:24:19 +0900
Subject: [PATCH] Fix to catch std::bad_array_new_length when allocating array
 using new

The exception std::bad_array_new_length is thrown when the size of new
array is negative or too big to allocate.
Also, this exception cannot be suppressed by std::nothrow, so it should
be catched explicitly when allocating array using 'new' with variable
size.
To make code more reliable, try-catch statements are added to the array
allocating codes using 'new' with variable size.

Change-Id: If1d8b3ce57dace4bb4bc1d976394e4be879ac9ca
Signed-off-by: SangYoun Kwak <sy.kwak@samsung.com>
---
 src/client/sensor_internal.cpp                | 12 ++++++++--
 src/client/sensor_listener.cpp                | 15 +++++++++++--
 .../sensor_provider_channel_handler.cpp       | 10 +++++++--
 src/server/application_sensor_handler.cpp     |  7 +++++-
 src/server/sensor_handler.cpp                 | 22 +++++++++++++++++--
 src/server/sensor_manager.cpp                 |  9 +++++++-
 src/server/server_channel_handler.cpp         | 21 +++++++++++++++---
 7 files changed, 83 insertions(+), 13 deletions(-)

diff --git a/src/client/sensor_internal.cpp b/src/client/sensor_internal.cpp
index 7495933d..a63df3b9 100644
--- a/src/client/sensor_internal.cpp
+++ b/src/client/sensor_internal.cpp
@@ -163,9 +163,17 @@ public:
 	{
 		callback_info_s *info;
 		auto size = msg.size();
-		char *data = new(std::nothrow) char[size];
-		if (data == NULL)
+		char *data = nullptr;
+		try {
+			data = new(std::nothrow) char[size];
+		} catch (std::bad_array_new_length &e) {
+			_E("Failed to allocate memory, invalid size(%zu)", size);
 			return;
+		}
+		if (data == NULL) {
+			_E("Failed to allocate memory");
+			return;
+		}
 		memcpy(data, msg.body(), size);
 
 		info = new(std::nothrow) callback_info_s();
diff --git a/src/client/sensor_listener.cpp b/src/client/sensor_listener.cpp
index 649a4d4f..aab72adf 100644
--- a/src/client/sensor_listener.cpp
+++ b/src/client/sensor_listener.cpp
@@ -591,7 +591,12 @@ int sensor_listener::set_attribute(int attribute, const char *value, int len)
 
 	size = sizeof(cmd_listener_attr_str_t) + len;
 
-	buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[size];
+	try {
+		buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[size];
+	} catch (std::bad_array_new_length &e) {
+		_E("Failed to allocate memory, invalid size(%zu)", size);
+		return -EINVAL;
+	}
 	retvm_if(!buf, -ENOMEM, "Failed to allocate memory");
 
 	msg.set_type(CMD_LISTENER_SET_ATTR_STR);
@@ -712,7 +717,13 @@ int sensor_listener::get_sensor_data_list(sensor_data_t **data, int *count)
 	}
 
 	size_t size = reply.size();
-	cmd_listener_get_data_list_t* reply_buf = (cmd_listener_get_data_list_t *) new(std::nothrow) char[size];
+	cmd_listener_get_data_list_t* reply_buf = nullptr;
+	try {
+		reply_buf = (cmd_listener_get_data_list_t *) new(std::nothrow) char[size];
+	} catch (std::bad_array_new_length &e) {
+		_E("Failed to allocate memory, invalid size(%zu)", size);
+		return -EINVAL;
+	}
 
 	retvm_if(!reply_buf, -ENOMEM, "Failed to allocate memory");
 
diff --git a/src/client/sensor_provider_channel_handler.cpp b/src/client/sensor_provider_channel_handler.cpp
index 039c93de..aa43dbea 100644
--- a/src/client/sensor_provider_channel_handler.cpp
+++ b/src/client/sensor_provider_channel_handler.cpp
@@ -68,9 +68,15 @@ void sensor_provider::channel_handler::read(ipc::channel *ch, ipc::message &msg)
 			m_interval_changed_cb(m_provider, buf.value, m_interval_changed_user_data);
 		break;
 	case CMD_PROVIDER_ATTR_STR:
-		cmd_provider_attr_str_t *attr;
+		cmd_provider_attr_str_t *attr = nullptr;
+
+		try {
+			attr = (cmd_provider_attr_str_t *) new(std::nothrow) char[msg.size()];
+		} catch (std::bad_array_new_length &e) {
+			_E("Failed to allocate memory, invalid size(%zu)", msg.size());
+			return;
+		}
 
-		attr = (cmd_provider_attr_str_t *) new(std::nothrow) char[msg.size()];
 		retm_if(!attr, "Failed to allocate memory");
 
 		msg.disclose((char *)attr, msg.size());
diff --git a/src/server/application_sensor_handler.cpp b/src/server/application_sensor_handler.cpp
index a1beab16..afd01658 100644
--- a/src/server/application_sensor_handler.cpp
+++ b/src/server/application_sensor_handler.cpp
@@ -157,7 +157,12 @@ int application_sensor_handler::set_attribute(sensor_observer *ob, int32_t attr,
 
 	size = sizeof(cmd_provider_attr_str_t) + len;
 
-	buf = (cmd_provider_attr_str_t *) new(std::nothrow) char[size];
+	try {
+		buf = (cmd_provider_attr_str_t *) new(std::nothrow) char[size];
+	} catch (std::bad_array_new_length &e) {
+		_E("Failed to allocate memory, invalid size(%zu)", size);
+		return -EINVAL;
+	}
 
 	retvm_if(!buf, -ENOMEM, "Failed to allocate memory");
 
diff --git a/src/server/sensor_handler.cpp b/src/server/sensor_handler.cpp
index dab4570f..f81d3c76 100644
--- a/src/server/sensor_handler.cpp
+++ b/src/server/sensor_handler.cpp
@@ -169,7 +169,12 @@ bool sensor_handler::notify_attribute_changed(uint32_t id, int32_t attribute, co
 	cmd_listener_attr_str_t *buf;
 	size_t size;
 	size = sizeof(cmd_listener_attr_str_t) + len;
-	buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[size];
+	try {
+		buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[size];
+	} catch (std::bad_array_new_length &e) {
+		_E("Failed to allocate memory, invalid size(%zu)", size);
+		return -EINVAL;
+	}
 	retvm_if(!buf, -ENOMEM, "Failed to allocate memory");
 
 	auto msg = ipc::message::create();
@@ -233,11 +238,24 @@ void sensor_handler::update_attribute(int32_t attr, int32_t value)
 
 int sensor_handler::get_attribute(int32_t attr, char **value, int *len)
 {
+	retv_if(!value, OP_ERROR);
+	retv_if(!len, OP_ERROR);
+
 	auto it = m_attributes_str.find(attr);
 	retv_if(it == m_attributes_str.end(), OP_ERROR);
 
 	*len = it->second.size();
-	*value = new(std::nothrow) char[*len];
+	try {
+		*value = new(std::nothrow) char[*len];
+	} catch (std::bad_array_new_length &e) {
+		_E("Failed to allocate memory, invalid size(%d)", *len);
+		return OP_ERROR;
+	}
+	if (*value == nullptr) {
+		_E("Failed to allocate memory");
+		return OP_ERROR;
+	}
+
 	std::copy(it->second.begin(), it->second.end(), *value);
 
 	return OP_SUCCESS;
diff --git a/src/server/sensor_manager.cpp b/src/server/sensor_manager.cpp
index 300c9b3c..659a4538 100644
--- a/src/server/sensor_manager.cpp
+++ b/src/server/sensor_manager.cpp
@@ -365,6 +365,8 @@ size_t sensor_manager::serialize(int sock_fd, char **bytes)
 	sensor_info info;
 	std::vector<char> raw_list;
 
+	retvm_if(!bytes, -EINVAL, "Invalid parameter, bytes cannot be NULL");
+
 	put_int_to_vec(raw_list, m_sensors.size());
 
 	for (auto it = m_sensors.begin(); it != m_sensors.end(); ++it) {
@@ -384,7 +386,12 @@ size_t sensor_manager::serialize(int sock_fd, char **bytes)
 		delete raw;
 	}
 
-	*bytes = new(std::nothrow) char[raw_list.size()];
+	try {
+		*bytes = new(std::nothrow) char[raw_list.size()];
+	} catch (std::bad_array_new_length &e) {
+		_E("Failed to allocate memory, invalid size(%zu)", raw_list.size());
+		return -EINVAL;
+	}
 	retvm_if(!*bytes, -ENOMEM, "Failed to allocate memory");
 
 	std::copy(raw_list.begin(), raw_list.end(), *bytes);
diff --git a/src/server/server_channel_handler.cpp b/src/server/server_channel_handler.cpp
index fd08af1f..54c0d2d5 100644
--- a/src/server/server_channel_handler.cpp
+++ b/src/server/server_channel_handler.cpp
@@ -348,7 +348,12 @@ int server_channel_handler::listener_set_attr_str(channel *ch, message &msg)
 	uint32_t id;
 	cmd_listener_attr_str_t *buf;
 
-	buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[msg.size()];
+	try {
+		buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[msg.size()];
+	} catch (std::bad_array_new_length &e) {
+		_E("Failed to allocate memory, invalid size(%zu)", msg.size());
+		return -EINVAL;
+	}
 	retvm_if(!buf, -ENOMEM, "Failed to allocate memory");
 
 	msg.disclose((char *)buf, msg.size());
@@ -437,7 +442,12 @@ int server_channel_handler::listener_get_attr_str(ipc::channel *ch, ipc::message
 	uint32_t id;
 	cmd_listener_attr_str_t *buf;
 
-	buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[msg.size()];
+	try {
+		buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[msg.size()];
+	} catch (std::bad_array_new_length &e) {
+		_E("Failed to allocate memory, invalid size(%zu)", msg.size());
+		return -EINVAL;
+	}
 	retvm_if(!buf, -ENOMEM, "Failed to allocate memory");
 
 	msg.disclose((char *)buf, msg.size());
@@ -467,7 +477,12 @@ int server_channel_handler::listener_get_attr_str(ipc::channel *ch, ipc::message
 
 	cmd_listener_attr_str_t *reply_buf;
 	size_t size = sizeof(cmd_listener_attr_str_t) + len;
-	reply_buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[size];
+	try {
+		reply_buf = (cmd_listener_attr_str_t *) new(std::nothrow) char[size];
+	} catch (std::bad_array_new_length &e) {
+		_E("Failed to allocate memory, invalid size(%zu)", size);
+		return -EINVAL;
+	}
 	retvm_if(!reply_buf, -ENOMEM, "Failed to allocate memory");
 
 	reply_buf->attribute = attr;
-- 
2.34.1