From 85446841067dfe230fa37d4e4f9a718ac1beafaa Mon Sep 17 00:00:00 2001
From: Hoyub Lee <hoyub.lee@samsung.com>
Date: Mon, 13 Feb 2017 20:26:36 +0900
Subject: [PATCH] pepper: Fix possible integer overflow

Change-Id: Ib0eca42f1d3c16521a9309e2c584b44a994fa279
Signed-off-by: Hoyub Lee <hoyub.lee@samsung.com>
---
 src/lib/pepper/compositor.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/lib/pepper/compositor.c b/src/lib/pepper/compositor.c
index c85530c..f5eba48 100644
--- a/src/lib/pepper/compositor.c
+++ b/src/lib/pepper/compositor.c
@@ -96,6 +96,7 @@ compositor_bind_socket(pepper_compositor_t *compositor, int socket_fd,
 					   const char *name)
 {
 	struct stat buf;
+	int name_length;
 	socklen_t size, name_size;
 	const char *runtime_dir;
 	long flags;
@@ -117,9 +118,15 @@ compositor_bind_socket(pepper_compositor_t *compositor, int socket_fd,
 	}
 
 	compositor->addr.sun_family = AF_LOCAL;
-	name_size = snprintf(compositor->addr.sun_path,
+
+	name_length = snprintf(compositor->addr.sun_path,
 						 sizeof compositor->addr.sun_path,
-						 "%s/%s", runtime_dir, name) + 1;
+						 "%s/%s", runtime_dir, name);
+
+	if (name_length < 0 || name_length == INT32_MAX)
+		goto err_addr;
+
+	name_size = name_length + 1;
 	if (name_size > (int)sizeof(compositor->addr.sun_path)) {
 		PEPPER_ERROR("socket path \"%s/%s\" plus null terminator"
 					 " exceeds 108 bytes\n", runtime_dir, name);
-- 
2.7.4