Fix tainted width & height issue for gif

author Jiyong Min <jiyong.min@samsung.com>

Tue, 14 Jun 2016 07:55:52 +0000 (16:55 +0900)

committer Jiyong Min <jiyong.min@samsung.com>

Tue, 14 Jun 2016 08:40:02 +0000 (17:40 +0900)
author Jiyong Min <jiyong.min@samsung.com>
Tue, 14 Jun 2016 07:55:52 +0000 (16:55 +0900)
committer Jiyong Min <jiyong.min@samsung.com>
Tue, 14 Jun 2016 08:40:02 +0000 (17:40 +0900)
diff --git a/gif/mm_util_gif.c b/gif/mm_util_gif.c

index da6ee75..0f4f2a7 100755 (executable)
--- a/gif/mm_util_gif.c
+++ b/gif/mm_util_gif.c
@@ -114,7 +114,10 @@ static int __read_gif(mm_util_gif_data *decoded, const char *filename, void *mem
                 mm_util_error("Gif File wrong decode parameters");
                 return MM_UTIL_ERROR_INVALID_OPERATION;
         }
-
+       if (GifFile->SWidth <= 0 || GifFile->SHeight <= 0) {
+               mm_util_error("Gif File wrong decode width & height");
+               return MM_UTIL_ERROR_INVALID_OPERATION;
+       }
         decoded->width = GifFile->SWidth;
         decoded->height = GifFile->SHeight;
         decoded->size = (unsigned long long)GifFile->SWidth * (unsigned long long)GifFile->SHeight * 4;
@@ -127,7 +130,7 @@ static int __read_gif(mm_util_gif_data *decoded, const char *filename, void *mem
         }
  
         Size = GifFile->SWidth * sizeof(GifPixelType);  /* Size in bytes one row. */
-       if ((screen_buffer[0] = (GifRowType) malloc(Size)) == NULL) {   /* First row. */
+       if ((screen_buffer[0] = (GifRowType) calloc(1, Size)) == NULL) {        /* First row. */
                 mm_util_error("Failed to allocate memory required, aborted.");
                 ret = MM_UTIL_ERROR_INVALID_OPERATION;
                 goto error;
@@ -137,7 +140,7 @@ static int __read_gif(mm_util_gif_data *decoded, const char *filename, void *mem
                 screen_buffer[0][i] = GifFile->SBackGroundColor;
         for (i = 1; i < GifFile->SHeight; i++) {
                 /* Allocate the other rows, and set their color to background too: */
-               if ((screen_buffer[i] = (GifRowType) malloc(Size)) == NULL) {
+               if ((screen_buffer[i] = (GifRowType) calloc(1, Size)) == NULL) {
                         mm_util_error("Failed to allocate memory required, aborted.");
                         ret = MM_UTIL_ERROR_INVALID_OPERATION;
                         goto error;
@@ -160,6 +163,11 @@ static int __read_gif(mm_util_gif_data *decoded, const char *filename, void *mem
                                 ret = MM_UTIL_ERROR_INVALID_OPERATION;
                                 goto error;
                         }
+                       if (GifFile->Image.Top < 0 || GifFile->Image.Left < 0 || GifFile->Image.Width <= 0 || GifFile->Image.Height <= 0) {
+                               mm_util_error("Gif File wrong decode width & height");
+                               ret = MM_UTIL_ERROR_INVALID_OPERATION;
+                               goto error;
+                       }
                         Row = GifFile->Image.Top;       /* Image Position relative to Screen. */
                         Col = GifFile->Image.Left;
                         Width = GifFile->Image.Width;
diff --git a/packaging/libmm-utility.spec b/packaging/libmm-utility.spec

index 212482c..00da96a 100755 (executable)
--- a/packaging/libmm-utility.spec
+++ b/packaging/libmm-utility.spec
@@ -1,6 +1,6 @@
  Name:       libmm-utility
  Summary:    Multimedia Framework Utility Library
-Version:    0.22
+Version:    0.23
  Release:    0
  Group:      System/Libraries
  License:    Apache-2.0
author	Jiyong Min <jiyong.min@samsung.com>
	Tue, 14 Jun 2016 07:55:52 +0000 (16:55 +0900)
committer	Jiyong Min <jiyong.min@samsung.com>
	Tue, 14 Jun 2016 08:40:02 +0000 (17:40 +0900)
gif/mm_util_gif.c		patch \| blob \| history
packaging/libmm-utility.spec		patch \| blob \| history