harden array handling, fix a bug in server_method

examples/server_method.c

@@ -60,7 +60,7 @@ int main(int argc, char** argv) {
     /* add the method node with the callback */
     UA_Argument inputArguments;
     UA_Argument_init(&inputArguments);
-    inputArguments.arrayDimensionsSize = -1;
+    inputArguments.arrayDimensionsSize = 0;
     inputArguments.arrayDimensions = NULL;
     inputArguments.dataType = UA_TYPES[UA_TYPES_STRING].typeId;
     inputArguments.description = UA_LOCALIZEDTEXT("en_US", "A String");
@@ -69,7 +69,7 @@ int main(int argc, char** argv) {
 
     UA_Argument outputArguments;
     UA_Argument_init(&outputArguments);
-    outputArguments.arrayDimensionsSize = -1;
+    outputArguments.arrayDimensionsSize = 0;
     outputArguments.arrayDimensions = NULL;
     outputArguments.dataType = UA_TYPES[UA_TYPES_STRING].typeId;
     outputArguments.description = UA_LOCALIZEDTEXT("en_US", "A String");

src/ua_types.c

@@ -727,7 +727,7 @@ void UA_delete(void *p, const UA_DataType *type) {
 /******************/
 
 void * UA_Array_new(size_t size, const UA_DataType *type) {
-    if(type->memSize * size > MAX_ARRAY_SIZE )
+    if(size > MAX_ARRAY_SIZE || type->memSize * size > MAX_ARRAY_SIZE)
         return NULL;
     if(size == 0)
         return UA_EMPTY_ARRAY_SENTINEL;
@@ -744,6 +744,9 @@ UA_Array_copy(const void *src, size_t src_size, void **dst, const UA_DataType *t
         return UA_STATUSCODE_GOOD;
     }
 
+    if(src_size > MAX_ARRAY_SIZE || type->memSize * src_size > MAX_ARRAY_SIZE)
+        return UA_STATUSCODE_BADOUTOFMEMORY;
+
     /* calloc, so we don't have to check retval in every iteration of copying */
     *dst = UA_calloc(src_size, type->memSize);
     if(!*dst)