jpeg pushed a commit to branch master.
http://git.enlightenment.org/core/efl.git/commit/?id=137383b53266d6380c0e89103a90038e1d461e86
commit 137383b53266d6380c0e89103a90038e1d461e86
Author: Jean-Philippe Andre <jp.an...@samsung.com>
Date: Tue Jan 14 17:36:54 2014 +0900
Evas/cserve2: Add some safety checks when reading socket messages
Fixes CID 1039571 and 1039572.
---
src/bin/evas/dummy_slave.c | 4 ++++
src/bin/evas/evas_cserve2.h | 3 ++-
src/bin/evas/evas_cserve2_slave.c | 3 +++
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/bin/evas/dummy_slave.c b/src/bin/evas/dummy_slave.c
index 9b56380..fb57250 100644
--- a/src/bin/evas/dummy_slave.c
+++ b/src/bin/evas/dummy_slave.c
@@ -23,6 +23,10 @@ command_read(int fd, Slave_Command *cmd, void **params)
if (ret < (int)sizeof(int) * 2)
return EINA_FALSE;
+ if(!((ints[0] > 0) && (ints[0] <= 0xFFFF) &&
+ (ints[1] >= 0) && (ints[1] < SLAVE_COMMAND_LAST)))
+ return EINA_FALSE;
+
size = ints[0];
buf = malloc(size);
if (!buf) return EINA_FALSE;
diff --git a/src/bin/evas/evas_cserve2.h b/src/bin/evas/evas_cserve2.h
index 86b3f8c..2369857 100644
--- a/src/bin/evas/evas_cserve2.h
+++ b/src/bin/evas/evas_cserve2.h
@@ -99,7 +99,8 @@ typedef enum {
FONT_LOAD,
FONT_GLYPHS_LOAD,
SLAVE_QUIT,
- ERROR
+ ERROR,
+ SLAVE_COMMAND_LAST
} Slave_Command;
struct _Slave_Msg_Image_Open {
diff --git a/src/bin/evas/evas_cserve2_slave.c
b/src/bin/evas/evas_cserve2_slave.c
index 45d19df..907b97c 100644
--- a/src/bin/evas/evas_cserve2_slave.c
+++ b/src/bin/evas/evas_cserve2_slave.c
@@ -188,6 +188,9 @@ command_read(int fd, Slave_Command *cmd, void **params)
if (ret < (int)sizeof(int) * 2)
return EINA_FALSE;
+ EINA_SAFETY_ON_FALSE_RETURN_VAL((ints[0] > 0) && (ints[0] <= 0xFFFF),
EINA_FALSE);
+ EINA_SAFETY_ON_FALSE_RETURN_VAL((ints[1] >= 0) && (ints[1] <
SLAVE_COMMAND_LAST), EINA_FALSE);
+
size = ints[0];
buf = malloc(size);
if (!buf) return EINA_FALSE;
--
