Fix heap-use-after-free in __remove_ogg_picture()

Fixed 'setAutoDelete' to 'false' so that pictureList is not freed while looking for picture.

Change-Id: I68223bfd2c2ad59b4da033665e3e7cdd857d3fe1
Signed-off-by: minje.ahn <minje.ahn@samsung.com>

diff --git a/src/metadata_editor.cpp b/src/metadata_editor.cpp
index 79107b2a0940105ce2b2fb0cf159da8db0a8c9c5..4bfb53ea103cd445b305325856dfb350864a1f34 100755 (executable)
--- a/src/metadata_editor.cpp
+++ b/src/metadata_editor.cpp
@@ -174,18 +174,11 @@ static int __remove_APIC(ID3v2::Tag *tag, int index)
 static int __remove_ogg_picture(Ogg::XiphComment *xtag, int index)
 {
        ME_RETVM_IF(!xtag, METADATA_EDITOR_ERROR_INVALID_PARAMETER, "Invalid XiphComment");
-       ME_RETV_IF(!__is_valid_index(xtag->pictureList(), index), METADATA_EDITOR_ERROR_INVALID_PARAMETER);
-
-       /* xiphComment::removePicture works abnormally. Do not modify this fuction.
-               - Use xtag->pictureList()[index] : crashed
-               - Use copied xtag->pictureList()[index] : crashed
-               - Use iterator with std::next() : heap-use-after-free occured
-       */
-       List<FLAC::Picture *>::Iterator it = xtag->pictureList().begin();
-       std::advance(it, index);
+       auto lst = xtag->pictureList();
+       lst.setAutoDelete(false);
+       ME_RETV_IF(!__is_valid_index(lst, index), METADATA_EDITOR_ERROR_INVALID_PARAMETER);
 
-       /* No need to set it to 'true'. taglib sets auto-delete. */
-       xtag->removePicture(*it, false);
+       xtag->removePicture(lst[index], true);
 
        return METADATA_EDITOR_ERROR_NONE;
 }
@@ -296,7 +289,6 @@ public:
                auto lst = __file->pictureList();
                ME_RETV_IF(!__is_valid_index(lst, index), METADATA_EDITOR_ERROR_INVALID_PARAMETER);
 
-               /* No need to set it to 'true'. taglib sets auto-delete. */
                __file->removePicture(lst[index], false);
                return METADATA_EDITOR_ERROR_NONE;
        }