From: Kyungwook Tak <k.tak@samsung.com>
Date: Thu, 9 Feb 2017 07:38:43 +0000 (+0900)
Subject: Fix svace defects
X-Git-Tag: accepted/tizen/unified/20170407.190850~1
X-Git-Url: http://review.tizen.org/git/?p=platform%2Fcore%2Fsecurity%2Fdrm-service-core-tizen.git;a=commitdiff_plain;h=99cebf960a4f71ba7e01c5761a3f4c05d90a5036

Fix svace defects

Change-Id: Ib8740613250c789ce43d95c083e0f9a03a9ca97c
Signed-off-by: Kyungwook Tak <k.tak@samsung.com>
(cherry picked from commit 265e328cf364a7eaf7d6f845c8fcdd52831b506d)
Signed-off-by: sangwan.kwon <sangwan.kwon@samsung.com>
---

diff --git a/tadcore/DrmFileHandleMgr/DrmFileHandler.cpp b/tadcore/DrmFileHandleMgr/DrmFileHandler.cpp
index 63e2e2d..879f80a 100644
--- a/tadcore/DrmFileHandleMgr/DrmFileHandler.cpp
+++ b/tadcore/DrmFileHandleMgr/DrmFileHandler.cpp
@@ -148,6 +148,10 @@ int DrmFileHandler::Construct(const char *szDrmFilePath)
 
 	fseek(m_pFP, 0, SEEK_END);
 	m_OriginEndOffset = ftell(m_pFP);
+	if (m_OriginEndOffset < m_PlaintextStartOffset) {
+		DRM_TAPPS_EXCEPTION("Invalid file offset... offset is bigger than file size");
+		return TADC_FILE_OPEN_ERROR;
+	}
 
 	m_plaintextSize = m_OriginEndOffset - m_PlaintextStartOffset;
 
diff --git a/tadcore/Svc/DrmTdcSvc.cpp b/tadcore/Svc/DrmTdcSvc.cpp
index f1e7bee..e95779e 100644
--- a/tadcore/Svc/DrmTdcSvc.cpp
+++ b/tadcore/Svc/DrmTdcSvc.cpp
@@ -182,11 +182,22 @@ bool DrmTdcDecryptPackage(const char *pTADCFilepath, const char *pLicenseBuf,
 	}
 
 	fseek(hFile1, 0, SEEK_END);
-	auto size1 = ftell(hFile1);
+	auto size1 = static_cast<long long>(ftell(hFile1));
 
 	auto offset = t_FileHeader.Offset1 + 35 + t_DRMHeader.XmlSize;
 	fseek(hFile1, offset, SEEK_SET);
 
+	if (size1 < offset) {
+		DRM_TAPPS_EXCEPTION("Invalid offset... offset is bigger than file size");
+		fclose(hFile1);
+		fclose(hFile2);
+		TADC_MEMFree_FileHeader(&t_FileHeader);
+		TADC_MEMFree_DRMHeader(&t_DRMHeader);
+		TADC_MEMFree_RO(&t_RO);
+		TADC_IF_Free(pReadBuf);
+		return FALSE;
+	}
+
 	auto size2 = size1 - offset; //plain file size
 	auto BlockCnt = (size2 / 512) + ((size2 % 512) ? 1 : 0);
 
@@ -309,11 +320,21 @@ bool DrmTdcDecryptPackage2(const char *pTADCFilepath, T_RO t_RO,
 	}
 
 	fseek(hFile1, 0, SEEK_END);
-	auto size1 = ftell(hFile1);
+	auto size1 = static_cast<long long>(ftell(hFile1));
 
 	auto offset = t_FileHeader.Offset1 + 35 + t_DRMHeader.XmlSize;
 	fseek(hFile1, offset, SEEK_SET);
 
+	if (size1 < offset) {
+		DRM_TAPPS_EXCEPTION("Invalid offset... offset is bigger than file size");
+		fclose(hFile1);
+		fclose(hFile2);
+		TADC_MEMFree_FileHeader(&t_FileHeader);
+		TADC_MEMFree_DRMHeader(&t_DRMHeader);
+		TADC_IF_Free(pReadBuf);
+		return FALSE;
+	}
+
 	auto size2 = size1 - offset; //plain file size
 	auto BlockCnt = (size2 / 512) + ((size2 % 512) ? 1 : 0);
 
diff --git a/tadcore/XMLParser/CXMLFile.cpp b/tadcore/XMLParser/CXMLFile.cpp
index 4a1d485..d1433a2 100644
--- a/tadcore/XMLParser/CXMLFile.cpp
+++ b/tadcore/XMLParser/CXMLFile.cpp
@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+#include <climits>
+
 #include "CXMLFile.h"
 #include "TADC_IF.h"
 #include "TADC_ErrorCode.h"
@@ -101,6 +103,10 @@ int CXMLFile::LoadFromFile(LPCTSTR pszFileName)
 	dwFileSize = ftell(hFile);
 	fseek(hFile, 0, SEEK_SET);
 
+	if (dwFileSize > LONG_MAX - 256) {
+		nResult = -1;
+		goto finish;
+	}
 	pbBuffer = new BYTE[dwFileSize + 1];
 	IF_TRUE_GOTO(pbBuffer == NULL, TADC_MEMAlOC_ERROR);
 
diff --git a/tadcore/include/DrmFileHandler.h b/tadcore/include/DrmFileHandler.h
index 1055f11..49a216a 100644
--- a/tadcore/include/DrmFileHandler.h
+++ b/tadcore/include/DrmFileHandler.h
@@ -36,25 +36,25 @@ private:
 	int DrmDecryptBlocks(void);
 	long long GetCurBlockIndex(void);
 
-	unsigned char *m_pFilePath;
-	unsigned char *m_pCID;
-	unsigned char *m_pCEK;
-	unsigned char *m_pDecBuf;
-
-	int m_PlaintextStartOffset;
-	FILE *m_pFP;
-
-	long m_encryptionLevel;
-	long long m_encryptionRange;
-	long long m_plaintextSize;
-	long long m_OriginEndOffset;
-	long long m_OriginCurOffset;
-	long long m_DrmCurOffset;
-	long long m_DrmEndOffset;
-	long long m_blockCnt;
-	long long m_curBlockIndex;
-	long long m_decReadlen;
-	long long m_extraReadlen;
+	unsigned char *m_pFilePath = nullptr;
+	unsigned char *m_pCID = nullptr;
+	unsigned char *m_pCEK = nullptr;
+	unsigned char *m_pDecBuf = nullptr;
+
+	int	m_PlaintextStartOffset = 0;
+	FILE *m_pFP = nullptr;
+
+	long m_encryptionLevel = 0;
+	long long m_encryptionRange = 0;
+	long long m_plaintextSize = 0;
+	long long m_OriginEndOffset = 0;
+	long long m_OriginCurOffset = 0;
+	long long m_DrmCurOffset = 0;
+	long long m_DrmEndOffset = 0;
+	long long m_blockCnt = 0;
+	long long m_curBlockIndex = 0;
+	long long m_decReadlen = 0;
+	long long m_extraReadlen = 0;
 };
 
 #endif //__DRMFILEHANDLER_H_