diff options
| author | jiyong.min <jiyong.min@samsung.com> | 2020-09-15 17:13:19 +0900 |
|---|---|---|
| committer | jiyong.min <jiyong.min@samsung.com> | 2020-09-15 17:22:17 +0900 |
| commit | 4c60658563354cada16f7d635d52254279dc3656 (patch) | |
| tree | 1ecf4b06e45519848f03c7fcccf1ba560e5a572a | |
| parent | ca3e7273ae89ca360b039b9510788100873507c1 (diff) | |
| download | libmedia-service-tizen_6.0_hotfix.tar.gz libmedia-service-tizen_6.0_hotfix.tar.bz2 libmedia-service-tizen_6.0_hotfix.zip | |
Fix tainted data and minor changetizen_6.0.m2_releasesubmit/tizen_6.0_hotfix/20201103.114804submit/tizen_6.0_hotfix/20201102.192504submit/tizen_6.0/20201029.205103submit/tizen/20200917.004955submit/tizen/20200916.012329accepted/tizen/unified/20200917.055759accepted/tizen/6.0/unified/hotfix/20201103.002736accepted/tizen/6.0/unified/20201030.121137tizen_6.0_hotfixaccepted/tizen_6.0_unified_hotfix
- Add to check return value of fread due to tainted data
- Add to check minimum value of '((x[0] << 8) | (x[1]))'
- minor change. change 'long' and 'gsize' to 'size_t'
Change-Id: Ib71be1c7caeea8c99cb6194734599930d4d64bc1
| -rw-r--r-- | packaging/libmedia-service.spec | 2 | ||||
| -rw-r--r-- | src/common/media-svc-util.c | 21 |
2 files changed, 12 insertions, 11 deletions
diff --git a/packaging/libmedia-service.spec b/packaging/libmedia-service.spec index a7f5c64..3276801 100644 --- a/packaging/libmedia-service.spec +++ b/packaging/libmedia-service.spec @@ -1,6 +1,6 @@ Name: libmedia-service Summary: Media information service library for multimedia applications -Version: 0.4.13 +Version: 0.4.14 Release: 0 Group: Multimedia/Libraries License: Apache-2.0 and PD diff --git a/src/common/media-svc-util.c b/src/common/media-svc-util.c index aa2881a..4e44550 100644 --- a/src/common/media-svc-util.c +++ b/src/common/media-svc-util.c @@ -806,12 +806,10 @@ int _media_svc_set_media_info(media_svc_content_info_s *content_info, const char static int __image_360_check(const char *path) { FILE *fp = NULL; - long app1_size = 0; - int size = 1; + size_t size = 0, app1_size = 0, exif_app1_xmp_size = 0; unsigned char exif_header[4] = {0, }; unsigned char exif_app1[2] = {0, }; unsigned char exif_app1_xmp[2] = {0, }; - gsize exif_app1_xmp_size = 0; unsigned char exif_app1_xmp_t[2] = {0, }; GString *xmp_data = NULL; int fdata = 0; @@ -827,32 +825,35 @@ static int __image_360_check(const char *path) goto ERROR; size = fread(exif_header, 1, sizeof(exif_header), fp); - if (size <= 0) + if (size != sizeof(exif_header)) goto ERROR; if ((exif_header[0] == 0xff) && (exif_header[1] == 0xd8) && (exif_header[2] == 0xff) && (exif_header[3] == 0xe1)) { size = fread(exif_app1, 1, sizeof(exif_app1), fp); - if (size <= 0) + if (size != sizeof(exif_app1)) goto ERROR; - app1_size = (long)((exif_app1[0] << 8) | (exif_app1[1])) - 2 ; + if ((size_t)((exif_app1[0] << 8) | (exif_app1[1])) <= 2) + goto ERROR; + app1_size = (size_t)((exif_app1[0] << 8) | (exif_app1[1])) - 2 ; if (fseek(fp, app1_size, SEEK_CUR) != 0) goto ERROR; size = fread(exif_app1_xmp, 1, sizeof(exif_app1_xmp), fp); - if (size <= 0) + if (size != sizeof(exif_app1_xmp)) goto ERROR; if ((exif_app1_xmp[0] == 0xff) && (exif_app1_xmp[1] == 0xe1)) { size = fread(exif_app1_xmp_t, 1, sizeof(exif_app1_xmp_t), fp); - if (size <= 0) + if (size != sizeof(exif_app1_xmp_t)) goto ERROR; - exif_app1_xmp_size = (long)((exif_app1_xmp_t[0] << 8) | (exif_app1_xmp_t[1])) - 2; - if (exif_app1_xmp_size == 0) + if ((size_t)((exif_app1_xmp_t[0] << 8) | (exif_app1_xmp_t[1])) <= 2) goto ERROR; + exif_app1_xmp_size = (size_t)((exif_app1_xmp_t[0] << 8) | (exif_app1_xmp_t[1])) - 2; + xmp_data = g_string_sized_new(exif_app1_xmp_size); do { |