media_packet_pool: Fix heap-buffer-overflow issue in media_packet_pool_allocate()

[Version] 0.1.48
[Issue Type] Bug fix

Change-Id: Ida20e76fd1fdc79d4ff964bd7290faf34d419d9f
Signed-off-by: Jeongmo Yang <jm80.yang@samsung.com>

diff --git a/packaging/capi-media-tool.spec b/packaging/capi-media-tool.spec
index 814d46e323a9b46fc1200523e7d06a9b61f64a83..c06ec67a6b4f122076c9279f263b607acb85b88d 100755 (executable)
--- a/packaging/capi-media-tool.spec
+++ b/packaging/capi-media-tool.spec
@@ -1,6 +1,6 @@
 Name:       capi-media-tool
 Summary:    A Core API media tool library in Tizen Native API
-Version:    0.1.47
+Version:    0.1.48
 Release:    0
 Group:      Multimedia/API
 License:    Apache-2.0

diff --git a/src/media_packet_pool.c b/src/media_packet_pool.c
index 01ce6f2571f88b4aa5aae2115754490ee9e98ede..6612a90e75dba9d0f6a78c54c09f863d56948ad3 100644 (file)
--- a/src/media_packet_pool.c
+++ b/src/media_packet_pool.c
@@ -87,8 +87,12 @@ int media_packet_pool_set_size(media_packet_pool_h pool, int min_buffers, int ma
        MEDIA_PACKET_POOL_INSTANCE_CHECK(pool);
        pool_handle = (media_packet_pool_s *)pool;
 
-       if (max_buffers <= 0 || min_buffers <= 0 || min_buffers > max_buffers)
+       if (max_buffers <= 0 || min_buffers <= 0 ||
+               min_buffers > max_buffers || max_buffers > MAX_PACKET) {
+               LOGE("invalid size - set[min:%d,max:%d], pool max[%d]",
+                       min_buffers, max_buffers, MAX_PACKET);
                return MEDIA_PACKET_ERROR_INVALID_PARAMETER;
+       }
 
        pool_handle->pool_size_min = min_buffers;
        pool_handle->pool_size_max = max_buffers;