diff options
author | jiyong.min <jiyong.min@samsung.com> | 2020-03-11 15:17:09 +0900 |
---|---|---|
committer | jiyong.min <jiyong.min@samsung.com> | 2020-03-11 15:47:45 +0900 |
commit | c71a9faa619c675d4fa8cec047f25abeef505d62 (patch) | |
tree | fcf2f4eb8da6d0055f58a57680b0770f780b59c5 | |
parent | c6d1046414934b8c91ec400744f8260d739a99a4 (diff) | |
download | libmm-fileinfo-tizen_5.5.tar.gz libmm-fileinfo-tizen_5.5.tar.bz2 libmm-fileinfo-tizen_5.5.zip |
Fix crash issue due to garbage valuesubmit/tizen_5.5_wearable_hotfix/20201026.184303submit/tizen_5.5/20200312.042342accepted/tizen/5.5/unified/wearable/hotfix/20201027.115619accepted/tizen/5.5/unified/20200313.004350tizen_5.5_wearable_hotfixtizen_5.5accepted/tizen_5.5_unified_wearable_hotfixaccepted/tizen_5.5_unified
- If the result of g_convert() is empty string, the written_len is 0.
Then (unsigned int)'written_len - 1' became garbage value and
checking carriage return make crash.
(gdb)bt full
mmfile_string_convert ...mm_file_util_string.c:189
i = 1395696
result = 0xae45a410 ""
err = 0x0
written_len = 0
Change-Id: I61b4c3e4a6b938ce549844e163dc46f47398aa98
-rw-r--r-- | packaging/libmm-fileinfo.spec | 2 | ||||
-rwxr-xr-x | utils/mm_file_util_string.c | 5 |
2 files changed, 4 insertions, 3 deletions
diff --git a/packaging/libmm-fileinfo.spec b/packaging/libmm-fileinfo.spec index 1eef915..6561d3b 100644 --- a/packaging/libmm-fileinfo.spec +++ b/packaging/libmm-fileinfo.spec @@ -1,6 +1,6 @@ Name: libmm-fileinfo Summary: Media Fileinfo -Version: 0.6.86 +Version: 0.6.87 Release: 1 Group: System/Libraries License: Apache-2.0 diff --git a/utils/mm_file_util_string.c b/utils/mm_file_util_string.c index be784ab..96f549c 100755 --- a/utils/mm_file_util_string.c +++ b/utils/mm_file_util_string.c @@ -173,18 +173,19 @@ char *mmfile_string_convert(const char *str, unsigned int len, result = g_convert(str, len, to_codeset, from_codeset, bytes_read, &written_len, &err); /*if converting failed, return null string.*/ - if (!result) { + if (!result || written_len == 0) { debug_warning(RELEASE, "text encoding failed.[%s][%d]\n", str, len); if (err != NULL) { debug_warning(DEBUG, "Error msg [%s]", err->message); g_error_free(err); } + mmfile_free(result); written_len = 0; } else { /* check carriage return */ - unsigned int i = 0; + gsize i = 0; for (i = 0; i < written_len - 1; i++) { if (result[i] == '\r') { if (result[i + 1] != '\n') |