From 137383b53266d6380c0e89103a90038e1d461e86 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Andre <jp.andre@samsung.com>
Date: Tue, 14 Jan 2014 17:36:54 +0900
Subject: [PATCH] Evas/cserve2: Add some safety checks when reading socket
 messages

Fixes CID 1039571 and 1039572.
---
 src/bin/evas/dummy_slave.c        | 4 ++++
 src/bin/evas/evas_cserve2.h       | 3 ++-
 src/bin/evas/evas_cserve2_slave.c | 3 +++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/bin/evas/dummy_slave.c b/src/bin/evas/dummy_slave.c
index 9b5638053b..fb57250681 100644
--- a/src/bin/evas/dummy_slave.c
+++ b/src/bin/evas/dummy_slave.c
@@ -23,6 +23,10 @@ command_read(int fd, Slave_Command *cmd, void **params)
    if (ret < (int)sizeof(int) * 2)
      return EINA_FALSE;
 
+   if(!((ints[0] > 0) && (ints[0] <= 0xFFFF) &&
+        (ints[1] >= 0) && (ints[1] < SLAVE_COMMAND_LAST)))
+     return EINA_FALSE;
+
    size = ints[0];
    buf = malloc(size);
    if (!buf) return EINA_FALSE;
diff --git a/src/bin/evas/evas_cserve2.h b/src/bin/evas/evas_cserve2.h
index 86b3f8ca3b..2369857666 100644
--- a/src/bin/evas/evas_cserve2.h
+++ b/src/bin/evas/evas_cserve2.h
@@ -99,7 +99,8 @@ typedef enum {
    FONT_LOAD,
    FONT_GLYPHS_LOAD,
    SLAVE_QUIT,
-   ERROR
+   ERROR,
+   SLAVE_COMMAND_LAST
 } Slave_Command;
 
 struct _Slave_Msg_Image_Open {
diff --git a/src/bin/evas/evas_cserve2_slave.c b/src/bin/evas/evas_cserve2_slave.c
index 45d19df0ff..907b97ccc8 100644
--- a/src/bin/evas/evas_cserve2_slave.c
+++ b/src/bin/evas/evas_cserve2_slave.c
@@ -188,6 +188,9 @@ command_read(int fd, Slave_Command *cmd, void **params)
    if (ret < (int)sizeof(int) * 2)
      return EINA_FALSE;
 
+   EINA_SAFETY_ON_FALSE_RETURN_VAL((ints[0] > 0) && (ints[0] <= 0xFFFF), EINA_FALSE);
+   EINA_SAFETY_ON_FALSE_RETURN_VAL((ints[1] >= 0) && (ints[1] < SLAVE_COMMAND_LAST), EINA_FALSE);
+
    size = ints[0];
    buf = malloc(size);
    if (!buf) return EINA_FALSE;