Fix crash issue due to garbage value

  - If the result of g_convert() is empty string, the written_len is 0.
    Then (unsigned int)'written_len - 1' became garbage value and
    checking carriage return make crash.

(gdb)bt full
mmfile_string_convert ...mm_file_util_string.c:189
        i = 1395696
        result = 0xae45a410 ""
        err = 0x0
        written_len = 0

Change-Id: I61b4c3e4a6b938ce549844e163dc46f47398aa98

diff --git a/packaging/libmm-fileinfo.spec b/packaging/libmm-fileinfo.spec
index 1eef915..6561d3b 100644 (file)
--- a/packaging/libmm-fileinfo.spec
+++ b/packaging/libmm-fileinfo.spec
@@ -1,6 +1,6 @@
 Name:      libmm-fileinfo
 Summary:    Media Fileinfo
-Version:    0.6.86
+Version:    0.6.87
 Release:    1
 Group:      System/Libraries
 License:    Apache-2.0

diff --git a/utils/mm_file_util_string.c b/utils/mm_file_util_string.c
index be784ab..96f549c 100755 (executable)
--- a/utils/mm_file_util_string.c
+++ b/utils/mm_file_util_string.c
@@ -173,18 +173,19 @@ char *mmfile_string_convert(const char *str, unsigned int len,
        result = g_convert(str, len, to_codeset, from_codeset, bytes_read, &written_len, &err);
 
        /*if converting failed, return null string.*/
-       if (!result) {
+       if (!result || written_len == 0) {
                debug_warning(RELEASE, "text encoding failed.[%s][%d]\n", str, len);
 
                if (err != NULL) {
                        debug_warning(DEBUG, "Error msg [%s]", err->message);
                        g_error_free(err);
                }
+               mmfile_free(result);
 
                written_len = 0;
        } else {
                /* check carriage return */
-               unsigned int i = 0;
+               gsize i = 0;
                for (i = 0; i < written_len - 1; i++) {
                        if (result[i] == '\r') {
                                if (result[i + 1] != '\n')