From 375f66856a339e0b5ca9a66d0a1e31e67e50e7b7 Mon Sep 17 00:00:00 2001
From: Hyunho Kang <hhstark.kang@samsung.com>
Date: Wed, 8 Feb 2017 21:02:27 +0900
Subject: Add boundary check for value from untrusted source

Change-Id: I7ac23493f014447d3afbca82fe4f4bdaa565986f
Signed-off-by: Hyunho Kang <hhstark.kang@samsung.com>
(cherry picked from commit 59701599bd4dc114594c170348fb236177a47866)
---
 src/data-control-provider.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/data-control-provider.c b/src/data-control-provider.c
index bc6d8c9..970ffea 100755
--- a/src/data-control-provider.c
+++ b/src/data-control-provider.c
@@ -43,6 +43,7 @@
 #define QUERY_MAXLEN			4096
 #define ROW_ID_SIZE			32
 #define RESULT_PATH_MAX			512
+#define MAX_COLUMN_COUNT		32767	/* Base on sqlite3 maximum column count */
 
 #define RESULT_PAGE_NUMBER		"RESULT_PAGE_NUMBER"
 #define MAX_COUNT_PER_PAGE		"MAX_COUNT_PER_PAGE"
@@ -653,7 +654,13 @@ static data_control_bulk_data_h __get_bulk_data_from_fd(int fd)
 		datacontrol_bulk_data_destroy(ret_bulk_data_h);
 		return NULL;
 	}
+
 	LOGI("bulk data size : %d", size);
+	if (size < 0 || size >= MAX_REQUEST_ARGUMENT_SIZE) {
+		LOGE("Invalid data size");
+		datacontrol_bulk_data_destroy(ret_bulk_data_h);
+		return NULL;
+	}
 
 	for (i = 0; i < size; i++) {
 		LOGI("bulk data : %d", i);
@@ -1204,6 +1211,11 @@ int __provider_process(bundle *b, int fd)
 		int current = 0;
 		int column_count = _get_int_from_str(arg_list[i++]); /* Column count */
 
+		if (column_count <= 0 || column_count > MAX_COLUMN_COUNT) {
+			LOGE("Invalid column count %d", column_count);
+			goto err;
+		}
+
 		LOGI("SELECT column count: %d", column_count);
 		column_list = (const char **)malloc(column_count * (sizeof(char *)));
 		if (column_list == NULL) {
-- 
cgit v1.2.3