projects / platform / core / multimedia / libmm-utility.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1571474)
Check error to prevent infinite loop 03/318203/8
authorhjkim <backto.kim@samsung.com>
Tue, 14 Jan 2025 06:24:56 +0000 (15:24 +0900)
committerhjkim <backto.kim@samsung.com>
Tue, 14 Jan 2025 10:13:09 +0000 (19:13 +0900)
[Issue]
  A crash occurred in while loop. Fix Fuzzing issue.

Change-Id: If1da0937431454079f09d11456e28d5ce676933f

jpeg/mm_util_jpeg.c patch | blob | history

diff --git a/jpeg/mm_util_jpeg.c b/jpeg/mm_util_jpeg.c
index 7e91378d72095029e2bc8c9d4b2839c168702c10..a963f970bce5f858dd055558ae4e722dfbecf29d 100644 (file)
--- a/jpeg/mm_util_jpeg.c
+++ b/jpeg/mm_util_jpeg.c
@@ -448,6 +448,12 @@ static int __mm_util_jpeg_decode(mm_util_jpeg_ctrl_format_e control_format, FILE
                int y = 0;
                while (dinfo.output_scanline < dinfo.output_height) {
                        jpeg_read_scanlines(&dinfo, buffer, 1);
+                       if (dinfo.err->msg_code != 0) {
+                               mm_util_error("jpeg_read_scanlines failed");
+                               ret = MM_UTIL_ERROR_INVALID_OPERATION;
+                               goto END;
+                       }
+
                        for (i = 0; i < row_stride; i += 3) {
                                image[i/3] = row[i];
                                if (i & 1) {
@@ -466,6 +472,11 @@ static int __mm_util_jpeg_decode(mm_util_jpeg_ctrl_format_e control_format, FILE
                while (dinfo.output_scanline < dinfo.output_height) {
                        /* jpeg_read_scanlines expects an array of pointers to scanlines. Here the array is only one element long, but you could ask formore than one scanline at a time if that's more convenient. */
                        jpeg_read_scanlines(&dinfo, buffer, 1);
+                       if (dinfo.err->msg_code != 0) {
+                               mm_util_error("jpeg_read_scanlines failed");
+                               ret = MM_UTIL_ERROR_INVALID_OPERATION;
+                               goto END;
+                       }
 
                        memcpy(image_buffer + state, buffer[0], row_stride);
                        state += row_stride;
@@ -474,9 +485,10 @@ static int __mm_util_jpeg_decode(mm_util_jpeg_ctrl_format_e control_format, FILE
        }
 
        ret = mm_image_create_image(dinfo.output_width, dinfo.output_height, color_format, image_buffer, image_buffer_size, decoded);
-       g_free(image_buffer);
 
 END:
+       g_free(image_buffer);
+
        /* Finish decompression */
        jpeg_finish_decompress(&dinfo);
        mm_util_debug("jpeg_finish_decompress");
Domain: Multimedia / Imaging;