Fix SVACE defects: add checking higher bound

[Version] 0.1.16
[Profile] Mobile
[Issue Type] Bug Fix

Change-Id: I691a224f0a6cbc2516ece540e51d8bdc3144dae5
Signed-off-by: Sangchul Lee <sc11.lee@samsung.com>

diff --git a/packaging/audio-hal-sc7727.spec b/packaging/audio-hal-sc7727.spec
index c651260..cf665c1 100644 (file)
--- a/packaging/audio-hal-sc7727.spec
+++ b/packaging/audio-hal-sc7727.spec
@@ -1,6 +1,6 @@
 Name:       audio-hal-sc7727
 Summary:    TIZEN Audio HAL for SC7727
-Version:    0.1.15
+Version:    0.1.16
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0

diff --git a/tizen-audio-volume.c b/tizen-audio-volume.c
index da10975..f607718 100644 (file)
--- a/tizen-audio-volume.c
+++ b/tizen-audio-volume.c
@@ -40,6 +40,7 @@
 #define RADIO_TUNING_ENABLE         "tuning:enable"
 #define RADIO_TUNING_VOLUME_LEVELS  "fmradio:volume_levels"
 #define RADIO_TUNING_VOLUME_TABLE   "fmradio:volume_table"
+#define RADIO_VOLUME_NUM_MAX        100
 
 static const char *g_volume_vconf[AUDIO_VOLUME_TYPE_MAX] = {
     "file/private/sound/volume/system",         /* AUDIO_VOLUME_TYPE_SYSTEM */
@@ -310,15 +311,15 @@ static audio_return_t __load_radio_volume_table(int** volume_table, int *number_
     }
 
     *number_of_elements = iniparser_getint(dict, RADIO_TUNING_VOLUME_LEVELS, -1);
-    if (*number_of_elements <= 0) {
+    if (*number_of_elements <= 0 || *number_of_elements > RADIO_VOLUME_NUM_MAX) {
         AUDIO_LOG_ERROR("invalid number of elements, %d", *number_of_elements);
         ret = AUDIO_ERR_INTERNAL;
         goto error;
     }
     temp_table = (int *)malloc((*number_of_elements) * sizeof(int));
-    if (!temp_table) {
+    if (!temp_table)
         goto error;
-    }
+
     *volume_table = temp_table;
 
     list_str = iniparser_getstring(dict, RADIO_TUNING_VOLUME_TABLE, NULL);