diff options
| author | DoHyun Pyun <dh79.pyun@samsung.com> | 2020-01-23 13:09:38 +0900 |
|---|---|---|
| committer | DoHyun Pyun <dh79.pyun@samsung.com> | 2020-01-23 16:00:34 +0900 |
| commit | 1b90b1af95c37504c0f4506f119d00233e706507 (patch) | |
| tree | 149915b6e253eb981153d2679ffab75800cb8c4d | |
| parent | 2f839e0d7b6263714b3a6926bea72317ee7f3b62 (diff) | |
| download | libmtp-tizen_5.5_tv.tar.gz libmtp-tizen_5.5_tv.tar.bz2 libmtp-tizen_5.5_tv.zip | |
[DF200122-01357] Fix the crash issue with Gear 360submit/tizen_5.5_wearable_hotfix/20201026.184307submit/tizen_5.5/20200128.060523submit/tizen_5.5/20200127.233944submit/tizen_5.5/20200123.071204accepted/tizen/5.5/unified/wearable/hotfix/20201027.100643accepted/tizen/5.5/unified/20200128.122222tizen_5.5_wearable_hotfixtizen_5.5_tvtizen_5.5accepted/tizen_5.5_unified_wearable_hotfixaccepted/tizen_5.5_unified
Change-Id: I9f26480f9144c8f71fcab603af15018091274485
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>
| -rwxr-xr-x | packaging/libmtp.spec | 2 | ||||
| -rwxr-xr-x | src/libopenusb1-glue.c | 10 | ||||
| -rwxr-xr-x | src/libusb-glue.c | 14 | ||||
| -rwxr-xr-x | src/libusb1-glue.c | 14 |
4 files changed, 35 insertions, 5 deletions
diff --git a/packaging/libmtp.spec b/packaging/libmtp.spec index a403f8b..401b8af 100755 --- a/packaging/libmtp.spec +++ b/packaging/libmtp.spec @@ -3,7 +3,7 @@ Name: libmtp Summary: Library for media transfer protocol (mtp) Version: 1.1.11 -Release: 12 +Release: 13 Group: Network & Connectivity/Other License: LGPL-2.1 Source0: libmtp-%{version}.tar.gz diff --git a/src/libopenusb1-glue.c b/src/libopenusb1-glue.c index 1e04f04..8f670eb 100755 --- a/src/libopenusb1-glue.c +++ b/src/libopenusb1-glue.c @@ -1297,6 +1297,16 @@ static uint16_t ptp_usb_getpacket(PTPParams *params, ret = ptp_read_func(packet_size, &memhandler, params->data, rlen, 0); ptp_exit_recv_memory_handler(&memhandler, &x, rlen); if (x) { + /* + * [DF200122-01357] Crash observed on accessing 360 camera via MTP . + */ + if (*rlen > sizeof(PTPUSBBulkContainer)) { + libusb_glue_error(params, + "PTP: The packet size is so large"); + free(x); + return PTP_RC_NoValidObjectInfo; + } + memcpy(packet, x, *rlen); free(x); } diff --git a/src/libusb-glue.c b/src/libusb-glue.c index 1b477a4..14daf53 100755 --- a/src/libusb-glue.c +++ b/src/libusb-glue.c @@ -1288,8 +1288,18 @@ static uint16_t ptp_usb_getpacket(PTPParams *params, ret = ptp_read_func(packet_size, &memhandler, params->data, rlen, 0); ptp_exit_recv_memory_handler (&memhandler, &x, rlen); if (x) { - memcpy (packet, x, *rlen); - free (x); + /* + * [DF200122-01357] Crash observed on accessing 360 camera via MTP . + */ + if (*rlen > sizeof(PTPUSBBulkContainer)) { + libusb_glue_error(params, + "PTP: The packet size is so large"); + free(x); + return PTP_RC_NoValidObjectInfo; + } + + memcpy(packet, x, *rlen); + free(x); } return ret; } diff --git a/src/libusb1-glue.c b/src/libusb1-glue.c index 5c8c46a..c4527d2 100755 --- a/src/libusb1-glue.c +++ b/src/libusb1-glue.c @@ -1343,8 +1343,18 @@ static uint16_t ptp_usb_getpacket(PTPParams *params, ret = ptp_read_func(packet_size, &memhandler, params->data, rlen, 0); ptp_exit_recv_memory_handler (&memhandler, &x, rlen); if (x) { - memcpy (packet, x, *rlen); - free (x); + /* + * [DF200122-01357] Crash observed on accessing 360 camera via MTP . + */ + if (*rlen > sizeof(PTPUSBBulkContainer)) { + libusb_glue_error(params, + "PTP: The packet size is so large"); + free(x); + return PTP_RC_NoValidObjectInfo; + } + + memcpy(packet, x, *rlen); + free(x); } return ret; } |