From 55431a458d8a0b2c06172b5c3cb91ebfb29f8722 Mon Sep 17 00:00:00 2001
From: "Eunki, Hong" <eunkiki.hong@samsung.com>
Date: Mon, 4 Mar 2024 09:53:50 +0900
Subject: [PATCH] Fix svace phase 1 : Integer overflow cases resolve

gl-proxy : uint32_t * uint32_t is not enough. Sampler will be break if we call Acuumulate after 2^16 frames.
socket / cairo-renderer : Guard some negative value as unsigned int.
async-task-manager / font-client : Guard 0 to -1 operation.

Change-Id: Ie3addabf669b80153fc9a5d605628168293a53b3
Signed-off-by: Eunki, Hong <eunkiki.hong@samsung.com>
---
 .../graphics/gles/gl-proxy-implementation.cpp      |  4 +--
 dali/internal/network/common/socket-impl.cpp       |  8 +++++-
 .../system/common/async-task-manager-impl.cpp      |  4 +--
 .../text/text-abstraction/cairo-renderer.cpp       | 10 ++++----
 .../plugin/font-client-plugin-impl.cpp             | 29 ++++++++++++----------
 5 files changed, 32 insertions(+), 23 deletions(-)

diff --git a/dali/internal/graphics/gles/gl-proxy-implementation.cpp b/dali/internal/graphics/gles/gl-proxy-implementation.cpp
index 33da896..0e8cd7d 100644
--- a/dali/internal/graphics/gles/gl-proxy-implementation.cpp
+++ b/dali/internal/graphics/gles/gl-proxy-implementation.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Samsung Electronics Co., Ltd.
+ * Copyright (c) 2024 Samsung Electronics Co., Ltd.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -85,7 +85,7 @@ void Sampler::Accumulate()
   mNumSamples++;
 
   mAccumulated += mCurrentFrameCount;
-  mAccumulatedSquare += (mCurrentFrameCount * mCurrentFrameCount);
+  mAccumulatedSquare += (static_cast<uint64_t>(mCurrentFrameCount) * static_cast<uint64_t>(mCurrentFrameCount));
   mCurrentFrameCount = 0;
 }
 const char* Sampler::GetDescription() const
diff --git a/dali/internal/network/common/socket-impl.cpp b/dali/internal/network/common/socket-impl.cpp
index e34ed4a..7f7198d 100644
--- a/dali/internal/network/common/socket-impl.cpp
+++ b/dali/internal/network/common/socket-impl.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Samsung Electronics Co., Ltd.
+ * Copyright (c) 2024 Samsung Electronics Co., Ltd.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -342,6 +342,12 @@ bool Socket::Write(const void* buffer, unsigned int bufferSizeInBytes)
 
   while(bytesWritten != static_cast<int>(bufferSizeInBytes))
   {
+    if(bufferSizeInBytes < bytesWritten)
+    {
+      DALI_LOG_ERROR("Socket writer error! required size : %u byte, real written : %d byte \n", bufferSizeInBytes, bytesWritten);
+      return false;
+    }
+
     const char* byteBuffer = static_cast<const char*>(buffer);
     byteBuffer += bytesWritten;
 
diff --git a/dali/internal/system/common/async-task-manager-impl.cpp b/dali/internal/system/common/async-task-manager-impl.cpp
index 3f9ee4e..2f2a2bf 100644
--- a/dali/internal/system/common/async-task-manager-impl.cpp
+++ b/dali/internal/system/common/async-task-manager-impl.cpp
@@ -711,7 +711,7 @@ void AsyncTaskManager::RemoveTask(AsyncTaskPtr task)
         for(auto& iterator : mapIter->second)
         {
           DALI_ASSERT_DEBUG((*iterator) == task);
-          if((*iterator)->GetPriorityType() == AsyncTask::PriorityType::HIGH)
+          if((*iterator)->GetPriorityType() == AsyncTask::PriorityType::HIGH && mWaitingHighProirityTaskCounts > 0u)
           {
             // Decrease the number of waiting tasks for high priority.
             --mWaitingHighProirityTaskCounts;
@@ -1057,7 +1057,7 @@ AsyncTaskPtr AsyncTaskManager::PopNextTaskToProcess()
           }
         }
 
-        if(priorityType == AsyncTask::PriorityType::HIGH)
+        if(priorityType == AsyncTask::PriorityType::HIGH && mWaitingHighProirityTaskCounts > 0u)
         {
           // Decrease the number of waiting tasks for high priority.
           --mWaitingHighProirityTaskCounts;
diff --git a/dali/internal/text/text-abstraction/cairo-renderer.cpp b/dali/internal/text/text-abstraction/cairo-renderer.cpp
index 4d7af0d..03ef5dd 100644
--- a/dali/internal/text/text-abstraction/cairo-renderer.cpp
+++ b/dali/internal/text/text-abstraction/cairo-renderer.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Samsung Electronics Co., Ltd.
+ * Copyright (c) 2024 Samsung Electronics Co., Ltd.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -369,7 +369,7 @@ void CopyImageToSurface(
   const int                                        rgbaCase,
   const double                                     glyphX,
   const double                                     glyphY,
-  const int                                        strideWidth,
+  const unsigned int                               strideWidth,
   const Vector4&                                   color,
   const bool                                       doBlendWithTextColor)
 {
@@ -685,9 +685,9 @@ Devel::PixelBuffer RenderTextCairo(const TextAbstraction::TextRenderer::Paramete
 
   // This function provides a stride value that will respect all alignment requirements of the
   // accelerated image-rendering code within cairo.
-  const int stride      = cairo_format_stride_for_width(cairoFormat,
+  const int          stride      = cairo_format_stride_for_width(cairoFormat,
                                                    static_cast<int>(parameters.width));
-  const int strideWidth = stride / bpp;
+  const unsigned int strideWidth = static_cast<unsigned int>(std::abs(stride)) / bpp;
 
   // Convert from DALi glyphs to Cairo glyphs.
   std::vector<cairo_glyph_t> cairoGlyphs;
@@ -736,7 +736,7 @@ Devel::PixelBuffer RenderTextCairo(const TextAbstraction::TextRenderer::Paramete
   Devel::PixelBuffer pixelBuffer = Devel::PixelBuffer::New(strideWidth, parameters.height, pixelFormat);
 
   unsigned char*     buffer     = pixelBuffer.GetBuffer();
-  const unsigned int bufferSize = stride * parameters.height;
+  const unsigned int bufferSize = static_cast<unsigned int>(std::abs(stride)) * parameters.height;
   memset(buffer, 0, bufferSize);
 
   std::unique_ptr<cairo_surface_t, void (*)(cairo_surface_t*)> surfacePtr(cairo_image_surface_create_for_data(buffer,
diff --git a/dali/internal/text/text-abstraction/plugin/font-client-plugin-impl.cpp b/dali/internal/text/text-abstraction/plugin/font-client-plugin-impl.cpp
index 2d9ac73..e7b8ec3 100644
--- a/dali/internal/text/text-abstraction/plugin/font-client-plugin-impl.cpp
+++ b/dali/internal/text/text-abstraction/plugin/font-client-plugin-impl.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023 Samsung Electronics Co., Ltd.
+ * Copyright (c) 2024 Samsung Electronics Co., Ltd.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -765,21 +765,24 @@ FontId FontClient::Plugin::GetFontId(const FontDescription& fontDescription,
   // Check if exists a pair 'fontDescriptionId, requestedPointSize' in the cache.
   if(!mCacheHandler->FindFont(fontDescriptionId, requestedPointSize, fontCacheIndex))
   {
-    // Retrieve the font file name path.
-    const FontDescription& description = *(mCacheHandler->mFontDescriptionCache.begin() + fontDescriptionId - 1u);
+    if(fontDescriptionId > 0u && fontDescriptionId <= mCacheHandler->mCharacterSetCache.Count())
+    {
+      // Retrieve the font file name path.
+      const FontDescription& description = *(mCacheHandler->mFontDescriptionCache.begin() + fontDescriptionId - 1u);
 
-    // Retrieve the font id. Do not cache the description as it has been already cached.
-    // Note : CacheFontPath() API call ValidateFont() + setup CharacterSet + cache the font description.
-    // So set cacheDescription=false, that we don't call CacheFontPath().
-    fontId = GetFontIdByPath(description.path, requestedPointSize, faceIndex, false);
+      // Retrieve the font id. Do not cache the description as it has been already cached.
+      // Note : CacheFontPath() API call ValidateFont() + setup CharacterSet + cache the font description.
+      // So set cacheDescription=false, that we don't call CacheFontPath().
+      fontId = GetFontIdByPath(description.path, requestedPointSize, faceIndex, false);
 
-    if((fontId > 0u) && (fontId - 1u < mCacheHandler->mFontIdCache.size()))
-    {
-      fontCacheIndex                                              = mCacheHandler->mFontIdCache[fontId - 1u].index;
-      mCacheHandler->mFontFaceCache[fontCacheIndex].mCharacterSet = FcCharSetCopy(mCacheHandler->mCharacterSetCache[fontDescriptionId - 1u]);
+      if((fontId > 0u) && (fontId - 1u < mCacheHandler->mFontIdCache.size()))
+      {
+        fontCacheIndex                                              = mCacheHandler->mFontIdCache[fontId - 1u].index;
+        mCacheHandler->mFontFaceCache[fontCacheIndex].mCharacterSet = FcCharSetCopy(mCacheHandler->mCharacterSetCache[fontDescriptionId - 1u]);
 
-      // Cache the pair 'fontDescriptionId, requestedPointSize' to improve the following queries.
-      mCacheHandler->CacheFontDescriptionSize(fontDescriptionId, requestedPointSize, fontCacheIndex);
+        // Cache the pair 'fontDescriptionId, requestedPointSize' to improve the following queries.
+        mCacheHandler->CacheFontDescriptionSize(fontDescriptionId, requestedPointSize, fontCacheIndex);
+      }
     }
   }
   else
-- 
2.7.4