From a5d9163c90d3bab0bbc2c54952dbaccec8fc5574 Mon Sep 17 00:00:00 2001
From: lokilee73 <changjoo.lee@samsung.com>
Date: Thu, 17 Jan 2019 18:02:44 +0900
Subject: [PATCH] Fix integer overflow in extcon_count.c

Change-Id: I83ac1617238aa664f1c5c6d1cff0c6945f5b1940
Signed-off-by: lokilee73 <changjoo.lee@samsung.com>
---
 src/extcon/extcon_count.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/extcon/extcon_count.c b/src/extcon/extcon_count.c
index 6e5df02..bb9914b 100644
--- a/src/extcon/extcon_count.c
+++ b/src/extcon/extcon_count.c
@@ -47,6 +47,7 @@ int extcon_update_count(int index, unsigned long count)
 	int r;
 	int ret = 0;
 	char buf[BUF_MAX];
+	unsigned long value;
 
 	fd = open(extcon_devices[index].str, O_RDWR | O_CREAT, 0644);
 	if (fd < 0) {
@@ -62,9 +63,15 @@ int extcon_update_count(int index, unsigned long count)
 	}
 
 	buf[r] = '\0';
-	extcon_devices[index].count = strtoul(buf, NULL, 10);
-	extcon_devices[index].count += count;
-
+	value = strtoul(buf, NULL, 10);
+	if (value == ULONG_MAX && errno == ERANGE)
+		_E("converted value is over ULONG MAX(%lu)!", ULONG_MAX);
+	else if (value > ULONG_MAX - count)
+		value = ULONG_MAX;
+	else
+		value += count;
+
+	extcon_devices[index].count = value;
 	lseek(fd, 0, SEEK_SET);
 	_I("ext(%d) count %lu", index, extcon_devices[index].count);
 	snprintf(buf, sizeof(buf), "%lu", extcon_devices[index].count);
-- 
2.7.4