From 3f859445a835fd5d7958272363095313931b6cce Mon Sep 17 00:00:00 2001
From: Boram Park <boram1288.park@samsung.com>
Date: Wed, 27 Sep 2017 10:32:30 +0900
Subject: [PATCH] add validation check for getenv

Change-Id: I88df5bdfeb5049b0ba3c84fb841a9d062a9c01d9
---
 src/tdm.c        | 18 +++++++++++++++---
 src/tdm_server.c |  7 ++++++-
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/src/tdm.c b/src/tdm.c
index a27247b..d942f3a 100644
--- a/src/tdm.c
+++ b/src/tdm.c
@@ -773,8 +773,13 @@ _tdm_display_load_module_with_file(tdm_private_display *private_display,
 	void *module;
 	tdm_error ret;
 	double stamp;
+	int size;
 
-	snprintf(path, sizeof(path), TDM_MODULE_PATH "/%s", file);
+	size = snprintf(path, sizeof(path), TDM_MODULE_PATH "/%s", file);
+	if (size >= (int)sizeof(path)) {
+		TDM_WRN("too long: %s/%s", TDM_MODULE_PATH, file);
+		return TDM_ERROR_BAD_MODULE;
+	};
 
 	stamp = tdm_helper_get_time();
 	TDM_TRACE_BEGIN(Load_Backend);
@@ -839,16 +844,23 @@ static tdm_error
 _tdm_display_load_module(tdm_private_display *private_display)
 {
 	const char *module_name;
+	char module[TDM_NAME_LEN];
 	struct dirent **namelist;
-	int n;
+	int n, size;
 	tdm_error ret = 0;
 
 	module_name = getenv("TDM_MODULE");
 	if (!module_name)
 		module_name = TDM_DEFAULT_MODULE;
 
+	size = snprintf(module, sizeof(module), "%s", module_name);
+	if (size >= (int)sizeof(module)) {
+		TDM_ERR("too long: %s", module_name);
+		return TDM_ERROR_OPERATION_FAILED;
+	};
+
 	/* load bufmgr priv from default lib */
-	ret = _tdm_display_load_module_with_file(private_display, module_name);
+	ret = _tdm_display_load_module_with_file(private_display, (const char*)module);
 	if (ret == TDM_ERROR_NONE)
 		return TDM_ERROR_NONE;
 
diff --git a/src/tdm_server.c b/src/tdm_server.c
index d528c10..21c0c9d 100644
--- a/src/tdm_server.c
+++ b/src/tdm_server.c
@@ -790,6 +790,7 @@ _tdm_socket_init(tdm_private_loop *private_loop)
 {
 	const char *dir = NULL;
 	char socket_path[128];
+	int size;
 	int ret = -1;
 	uid_t uid;
 	gid_t gid;
@@ -800,7 +801,11 @@ _tdm_socket_init(tdm_private_loop *private_loop)
 		return;
 	}
 
-	snprintf(socket_path, sizeof(socket_path), "%s/%s", dir, "tdm-socket");
+	size = snprintf(socket_path, sizeof(socket_path), "%s/%s", dir, "tdm-socket");
+	if (size >= (int)sizeof(socket_path)) {
+		TDM_WRN("too long: %s/tdm-socket", dir);
+		return;
+	};
 
 	ret = chmod(socket_path, 509);
 	if (ret < 0) {
-- 
2.7.4