Fix some vulnerability (Null Pointer Dereference) defects

[Version] 0.12.59
[Issue Type] Vulnerability

Change-Id: I0d4ddd518dad40e4306cbc8f4200ccaa6f00ea78
(cherry picked from commit 38b3c36fd75409a72a7f2da8e3c27f15ef1ba7b9)

diff --git a/focus_server/mm_sound_mgr_focus.c b/focus_server/mm_sound_mgr_focus.c
index 08249a0..b3b1844 100644 (file)
--- a/focus_server/mm_sound_mgr_focus.c
+++ b/focus_server/mm_sound_mgr_focus.c
@@ -692,7 +692,12 @@ int mm_sound_mgr_focus_create_node(const _mm_sound_mgr_focus_param_t *param)
        if (ret)
                goto FINISH;
 
-       node = g_malloc0(sizeof(focus_node_t));
+       node = (focus_node_t *)g_try_malloc0(sizeof(focus_node_t));
+       if (!node) {
+               debug_error("Failed to alloc node");
+               ret = MM_ERROR_OUT_OF_MEMORY;
+               goto FINISH;
+       }
 
        /* fill up information to the node */
        _mm_sound_mgr_focus_fill_info_from_msg(node, param);
@@ -1123,7 +1128,12 @@ int mm_sound_mgr_focus_add_watch_node(const _mm_sound_mgr_focus_param_t *param)
                }
        }
 
-       node = g_malloc0(sizeof(focus_node_t));
+       node = (focus_node_t *)g_try_malloc0(sizeof(focus_node_t));
+       if (!node) {
+               debug_error("Failed to alloc node");
+               ret = MM_ERROR_OUT_OF_MEMORY;
+               goto FINISH;
+       }
 
        /* fill up information to the node */
        _mm_sound_mgr_focus_fill_info_from_msg(node, param);

diff --git a/mm_sound_client.c b/mm_sound_client.c
index ad21494..3098929 100644 (file)
--- a/mm_sound_client.c
+++ b/mm_sound_client.c
@@ -99,7 +99,11 @@ struct callback_data {
 
 #define GET_CB_DATA(_cb_data, _func, _userdata, _extradata) \
        do { \
-               _cb_data = (struct callback_data*) g_malloc0(sizeof(struct callback_data)); \
+               _cb_data = (struct callback_data*) g_try_malloc0(sizeof(struct callback_data)); \
+               if (!_cb_data) { \
+                       debug_error("failed to allocate callback_data"); \
+                       return MM_ERROR_OUT_OF_MEMORY; \
+               } \
                _cb_data->user_cb = _func; \
                _cb_data->user_data = _userdata; \
                _cb_data->extra_data = _extradata; \
@@ -248,10 +252,14 @@ int mm_sound_client_play_sound_with_stream_info(MMSoundPlayParam *param, int *ha
                                                                                                        getpid(), handle, stream_type, stream_id);
        if (ret != MM_ERROR_NONE) {
                debug_error("Play Sound Failed");
-               goto failed;
+               return ret;
        }
        if (param->callback) {
-               end_cb_data = (play_sound_end_callback_data_t *) g_malloc0(sizeof(play_sound_end_callback_data_t));
+               end_cb_data = (play_sound_end_callback_data_t *) g_try_malloc0(sizeof(play_sound_end_callback_data_t));
+               if (!end_cb_data) {
+                       debug_error("Failed to alloc end_cb_data");
+                       return MM_ERROR_OUT_OF_MEMORY;
+               }
                end_cb_data->watching_handle = *handle;
                GET_CB_DATA(cb_data, param->callback, param->data, end_cb_data);
 
@@ -261,8 +269,6 @@ int mm_sound_client_play_sound_with_stream_info(MMSoundPlayParam *param, int *ha
                        debug_error("Add callback for play sound(%d) Failed", *handle);
        }
 
-failed:
-
        debug_fleave();
        return ret;
 

diff --git a/mm_sound_pa_client.c b/mm_sound_pa_client.c
index 4add2ba..5681117 100644 (file)
--- a/mm_sound_pa_client.c
+++ b/mm_sound_pa_client.c
@@ -215,7 +215,6 @@ int mm_sound_pa_open(MMSoundHandleMode mode, int volume_config, pa_sample_spec *
        default:
                err = MM_ERROR_SOUND_INTERNAL;
                goto fail;
-               break;
        }
 
        if (!s) {
@@ -228,6 +227,11 @@ int mm_sound_pa_open(MMSoundHandleMode mode, int volume_config, pa_sample_spec *
        }
 
        handle = (mm_sound_handle_t *) malloc(sizeof(mm_sound_handle_t));
+       if (!handle) {
+               debug_error("Failed to alloc handle");
+               err = MM_ERROR_OUT_OF_MEMORY;
+               goto fail;
+       }
        memset(handle, 0, sizeof(mm_sound_handle_t));
        handle->mode = mode;
        handle->volume_type = prop_vol_type;

diff --git a/mm_sound_proxy.c b/mm_sound_proxy.c
index 817aa58..5b4b767 100644 (file)
--- a/mm_sound_proxy.c
+++ b/mm_sound_proxy.c
@@ -24,7 +24,11 @@ struct callback_data {
 
 #define CB_DATA_NEW(_cb_data, _func, _userdata, _freefunc) \
        do { \
-               _cb_data = (struct callback_data*) g_malloc0(sizeof(struct callback_data)); \
+               _cb_data = (struct callback_data*) g_try_malloc0(sizeof(struct callback_data)); \
+               if (!_cb_data) { \
+                       debug_error("failed to allocate callback_data"); \
+                       return MM_ERROR_OUT_OF_MEMORY; \
+               } \
                _cb_data->user_cb = _func; \
                _cb_data->user_data = _userdata; \
                _cb_data->free_func = _freefunc; \

diff --git a/packaging/libmm-sound.spec b/packaging/libmm-sound.spec
index 0b76e39..2d90f17 100644 (file)
--- a/packaging/libmm-sound.spec
+++ b/packaging/libmm-sound.spec
@@ -1,6 +1,6 @@
 Name:       libmm-sound
 Summary:    MMSound Package contains client lib and sound_server binary
-Version:    0.12.58
+Version:    0.12.59
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0