Fix security issue - buffer overflow

[Version] 0.10.125
[Profile] Common
[Issue Type] Security issue
[Issue#] SATIZENVUL-916
[Dependency module] N/A
[Test] [M(T) - Boot=(OK), sdb=(OK), Home=(OK), Touch=(OK), Version=tizen-unified_20170704.3]

Change-Id: Ida060c371fac6a6366b5160ed3862799d4fec564
Signed-off-by: Jeongmo Yang <jm80.yang@samsung.com>

diff --git a/packaging/libmm-camcorder.spec b/packaging/libmm-camcorder.spec
index 30121e5..21a6735 100644 (file)
--- a/packaging/libmm-camcorder.spec
+++ b/packaging/libmm-camcorder.spec
@@ -1,6 +1,6 @@
 Name:       libmm-camcorder
 Summary:    Camera and recorder library
-Version:    0.10.124
+Version:    0.10.125
 Release:    0
 Group:      Multimedia/Libraries
 License:    Apache-2.0

diff --git a/src/mm_camcorder_util.c b/src/mm_camcorder_util.c
index cfcaa2d..77f3a43 100644 (file)
--- a/src/mm_camcorder_util.c
+++ b/src/mm_camcorder_util.c
@@ -46,6 +46,8 @@
 -----------------------------------------------------------------------*/
 #define TIME_STRING_MAX_LEN                     64
 #define __MMCAMCORDER_CAPTURE_WAIT_TIMEOUT      5
+#define __MMCAMCORDER_MAX_WIDTH                 8192
+#define __MMCAMCORDER_MAX_HEIGHT                8192
 
 #define FPUTC_CHECK(x_char, x_file) \
 { \
@@ -2239,6 +2241,12 @@ static gboolean _mmcamcorder_convert_NV12_to_I420(unsigned char *src, guint widt
                return FALSE;
        }
 
+       /* buffer overflow prevention check */
+       if (width > __MMCAMCORDER_MAX_WIDTH || height > __MMCAMCORDER_MAX_HEIGHT) {
+               _mmcam_dbg_err("too large size %d x %d", width, height);
+               return FALSE;
+       }
+
        dst_size = (width * height * 3) >> 1;
 
        _mmcam_dbg_log("NV12 -> I420 : %dx%d, dst size %d", width, height, dst_size);