From 265e328cf364a7eaf7d6f845c8fcdd52831b506d Mon Sep 17 00:00:00 2001 From: Kyungwook Tak Date: Thu, 9 Feb 2017 16:38:43 +0900 Subject: [PATCH] Fix svace defects Change-Id: Ib8740613250c789ce43d95c083e0f9a03a9ca97c Signed-off-by: Kyungwook Tak --- tadcore/DrmFileHandleMgr/DrmFileHandler.cpp | 4 +++ tadcore/Svc/DrmTdcSvc.cpp | 25 +++++++++++++++++-- tadcore/XMLParser/CXMLFile.cpp | 6 +++++ tadcore/include/DrmFileHandler.h | 38 ++++++++++++++--------------- 4 files changed, 52 insertions(+), 21 deletions(-) diff --git a/tadcore/DrmFileHandleMgr/DrmFileHandler.cpp b/tadcore/DrmFileHandleMgr/DrmFileHandler.cpp index 0776dff..822078f 100644 --- a/tadcore/DrmFileHandleMgr/DrmFileHandler.cpp +++ b/tadcore/DrmFileHandleMgr/DrmFileHandler.cpp @@ -144,6 +144,10 @@ int DrmFileHandler::Construct(const char* szDrmFilePath) fseek(m_pFP, 0, SEEK_END); m_OriginEndOffset = ftell(m_pFP); + if (m_OriginEndOffset < m_PlaintextStartOffset) { + DRM_TAPPS_EXCEPTION("Invalid file offset... offset is bigger than file size"); + return TADC_FILE_OPEN_ERROR; + } m_plaintextSize = m_OriginEndOffset - m_PlaintextStartOffset; if (m_plaintextSize != t_DRMHeader.PlaintextSize) { diff --git a/tadcore/Svc/DrmTdcSvc.cpp b/tadcore/Svc/DrmTdcSvc.cpp index cf2d49d..b3bc9be 100644 --- a/tadcore/Svc/DrmTdcSvc.cpp +++ b/tadcore/Svc/DrmTdcSvc.cpp @@ -186,11 +186,22 @@ bool DrmTdcDecryptPackage( } fseek(hFile1, 0, SEEK_END); - auto size1 = ftell(hFile1); + auto size1 = static_cast(ftell(hFile1)); auto offset = t_FileHeader.Offset1 + 35 + t_DRMHeader.XmlSize; fseek(hFile1, offset, SEEK_SET); + if (size1 < offset) { + DRM_TAPPS_EXCEPTION("Invalid offset... offset is bigger than file size"); + fclose(hFile1); + fclose(hFile2); + TADC_MEMFree_FileHeader(&t_FileHeader); + TADC_MEMFree_DRMHeader(&t_DRMHeader); + TADC_MEMFree_RO(&t_RO); + TADC_IF_Free(pReadBuf); + return FALSE; + } + auto size2 = size1 - offset; //plain file size auto BlockCnt = (size2 / 512) + ((size2 % 512) ? 1 : 0); @@ -310,11 +321,21 @@ bool DrmTdcDecryptPackage2( } fseek(hFile1, 0, SEEK_END); - auto size1 = ftell(hFile1); + auto size1 = static_cast(ftell(hFile1)); auto offset = t_FileHeader.Offset1 + 35 + t_DRMHeader.XmlSize; fseek(hFile1, offset, SEEK_SET ); + if (size1 < offset) { + DRM_TAPPS_EXCEPTION("Invalid offset... offset is bigger than file size"); + fclose(hFile1); + fclose(hFile2); + TADC_MEMFree_FileHeader(&t_FileHeader); + TADC_MEMFree_DRMHeader(&t_DRMHeader); + TADC_IF_Free(pReadBuf); + return FALSE; + } + auto size2 = size1 - offset; //plain file size auto BlockCnt = (size2 / 512) + ((size2 % 512) ? 1 : 0); diff --git a/tadcore/XMLParser/CXMLFile.cpp b/tadcore/XMLParser/CXMLFile.cpp index f4b32c0..4dcc656 100644 --- a/tadcore/XMLParser/CXMLFile.cpp +++ b/tadcore/XMLParser/CXMLFile.cpp @@ -14,6 +14,8 @@ * limitations under the License. */ +#include + #include "CXMLFile.h" #include "TADC_IF.h" #include "TADC_ErrorCode.h" @@ -100,6 +102,10 @@ int CXMLFile::LoadFromFile(LPCTSTR pszFileName) dwFileSize = ftell(hFile); fseek(hFile, 0, SEEK_SET); + if (dwFileSize > LONG_MAX - 256) { + nResult = -1; + goto finish; + } pbBuffer = new BYTE[ dwFileSize + 1 ]; IF_TRUE_GOTO( pbBuffer == NULL, TADC_MEMAlOC_ERROR ); diff --git a/tadcore/include/DrmFileHandler.h b/tadcore/include/DrmFileHandler.h index 7ef315b..cdbdcad 100644 --- a/tadcore/include/DrmFileHandler.h +++ b/tadcore/include/DrmFileHandler.h @@ -36,23 +36,23 @@ private: int DrmDecryptBlocks(void); long long GetCurBlockIndex(void); - unsigned char *m_pFilePath; - unsigned char *m_pCID; - unsigned char *m_pCEK; - unsigned char *m_pDecBuf; - - int m_PlaintextStartOffset; - FILE *m_pFP; - - long m_encryptionLevel; - long long m_encryptionRange; - long long m_plaintextSize; - long long m_OriginEndOffset; - long long m_OriginCurOffset; - long long m_DrmCurOffset; - long long m_DrmEndOffset; - long long m_blockCnt; - long long m_curBlockIndex; - long long m_decReadlen; - long long m_extraReadlen; + unsigned char *m_pFilePath = nullptr; + unsigned char *m_pCID = nullptr; + unsigned char *m_pCEK = nullptr; + unsigned char *m_pDecBuf = nullptr; + + int m_PlaintextStartOffset = 0; + FILE *m_pFP = nullptr; + + long m_encryptionLevel = 0; + long long m_encryptionRange = 0; + long long m_plaintextSize = 0; + long long m_OriginEndOffset = 0; + long long m_OriginCurOffset = 0; + long long m_DrmCurOffset = 0; + long long m_DrmEndOffset = 0; + long long m_blockCnt = 0; + long long m_curBlockIndex = 0; + long long m_decReadlen = 0; + long long m_extraReadlen = 0; }; -- 2.7.4