From ba79ea1537a672c29709079f895d41b827b91a6b Mon Sep 17 00:00:00 2001
From: Junkyeong Kim <jk0430.kim@samsung.com>
Date: Wed, 21 Nov 2018 18:01:46 +0900
Subject: [PATCH] prevent copying error over TDM_NAME_LEN(64) length string

Change-Id: I63b7a3f869fae588127bc5ea9c7b4728980a51aa
Signed-off-by: Junkyeong Kim <jk0430.kim@samsung.com>
---
 client/tdm_client.c | 3 ++-
 src/tdm_output.c    | 9 ++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/client/tdm_client.c b/client/tdm_client.c
index d60c6c9..fd51b29 100644
--- a/client/tdm_client.c
+++ b/client/tdm_client.c
@@ -2082,7 +2082,8 @@ tdm_client_create_voutput(tdm_client *client, const char *name, tdm_error *error
 	LIST_INITHEAD(&private_voutput->buffer_list);
 
 	private_voutput->private_client = private_client;
-	strncpy(private_voutput->name, name, TDM_NAME_LEN);
+	strncpy(private_voutput->name, name, TDM_NAME_LEN - 1);
+	private_voutput->name[TDM_NAME_LEN - 1] = '\0';
 
 	private_voutput->wl_voutput = wl_tdm_create_voutput((struct wl_tdm *)wrapper, name);
 	wl_proxy_wrapper_destroy(wrapper);
diff --git a/src/tdm_output.c b/src/tdm_output.c
index 16b7bf1..e043569 100644
--- a/src/tdm_output.c
+++ b/src/tdm_output.c
@@ -1119,7 +1119,7 @@ _tdm_voutput_cb_commit(tdm_voutput *voutput_backend, unsigned int sequence,
 {
 	tdm_private_voutput_commit_handler *voutput_commit_handler = NULL;
 	tdm_private_module *private_module;
-	tdm_private_voutput *private_voutput = NULL, *v;
+	tdm_private_voutput *private_voutput = NULL, *v = NULL;
 	tdm_private_output *private_output;
 	tdm_thread_cb_voutput_commit voutput_commit;
 	tdm_error ret;
@@ -2054,9 +2054,12 @@ tdm_voutput_create(tdm_display *dpy, const char *name, tdm_error *error)
 			func_voutput->voutput_destroy(voutput_backend);
 		else
 			TDM_ERR("no destroy function");
+		private_voutput = NULL;
 	} else {
-		strncpy(private_voutput->name, name, TDM_NAME_LEN);
-		strncpy(private_output->name, name, TDM_NAME_LEN);
+		strncpy(private_voutput->name, name, TDM_NAME_LEN - 1);
+		private_voutput->name[TDM_NAME_LEN - 1] = '\0';
+		strncpy(private_output->name, name, TDM_NAME_LEN - 1);
+		private_output->name[TDM_NAME_LEN - 1] = '\0';
 
 		private_voutput->private_output = private_output;
 		private_output->private_voutput = private_voutput;
-- 
2.7.4