Replace system() to g_file_copy() due to exploitable vulnerabilities.

- Please refer to below webpage in detail
- https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=2130132

Change-Id: I790a24e92439b73d4c6f43e563fc7da2d317d262
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>

diff --git a/configure.ac b/configure.ac
index 677db5ca9d3a01235ac1d53858f0b609969f5251..b5048a95566aee9bade25ca43ad59dc7993ff0c2 100755 (executable)
--- a/configure.ac
+++ b/configure.ac
@@ -41,6 +41,10 @@ PKG_CHECK_MODULES(GLIB, glib-2.0)
 AC_SUBST(GLIB_CFLAGS)
 AC_SUBST(GLIB_LIBS)
 
+PKG_CHECK_MODULES(GIO, gio-2.0)
+AC_SUBST(GIO_CFLAGS)
+AC_SUBST(GIO_LIBS)
+
 PKG_CHECK_MODULES(GMODULE, gmodule-2.0)
 AC_SUBST(GMODULE_CFLAGS)
 AC_SUBST(GMODULE_LIBS)

diff --git a/gif/Makefile.am b/gif/Makefile.am
index 7c9734d587463c1e1335a8f179d54186840c724a..74b00f992fd9c5984170767e6c991ba103c81502 100644 (file)
--- a/gif/Makefile.am
+++ b/gif/Makefile.am
@@ -10,12 +10,14 @@ libmmutil_gif_la_SOURCES = mm_util_gif.c
 libmmutil_gif_la_CFLAGS = -I$(srcdir)/include \
                                -I$(srcdir)/../imgp/include \
                                $(GLIB_CFLAGS) \
+                               $(GIO_CFLAGS) \
                                $(MEDIA_CFLAGS) \
                                -I/usr/include \
                                $(SYSTEMINFO_CFLAGS) \
                                $(srcdir)/../imgp/libmmutil_imgp.la
 
 libmmutil_gif_la_LIBADD = $(GLIB_LIBS) -lgif -ldl -lexif -lttrace\
+                               $(GIO_LIBS) \
                                $(GMODULE_LIBS) \
                                $(SYSTEMINFO_LIBS)\
                                $(MEDIA_LIBS)

diff --git a/gif/mm_util_gif.c b/gif/mm_util_gif.c
index 3f42c4e8de522612f04e9529aef76d2d8c9977ab..314c81c744f119c4ede33eea2016c9b9944870f6 100755 (executable)
--- a/gif/mm_util_gif.c
+++ b/gif/mm_util_gif.c
@@ -30,15 +30,14 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
-#include <stdio.h>                             /* fopen() */
-#include <system_info.h>
+#include <gio/gio.h>
 
 #include "mm_util_gif.h"
 #include "mm_util_gif_private.h"
 #include "mm_util_debug.h"
 
 #include <limits.h>
-#define GIF_TMP_FILE   "/tmp/libmm_gif.gif"
+#define GIF_TMP_FILE   "/tmp/.libmm_gif.gif"
 
 #define COLORMAP_FREE(map)                     { if (map != NULL) { GifFreeMapObject(map); map = NULL; } }
 #define RGB_ALLOC(r, g, b, number, size)       { r = calloc(1, number * size); g = calloc(1, number * size); b = calloc(1, number * size); }
@@ -540,7 +539,7 @@ static int __gif_extract_rgb(gif_image_s *gif_image, unsigned long num_of_pixels
        GifByteType *redP, *greenP, *blueP;
        GifByteType *buffer = (GifByteType*)gif_image->image_data;
 
-       mm_util_debug("__gif_extract_rgb_from_image");
+       mm_util_debug("__gif_extract_rgb");
 
        RGB_ALLOC(redP, greenP, blueP, num_of_pixels, sizeof(GifByteType));
 
@@ -712,39 +711,47 @@ int _gif_encode_close_file(gif_file_s *gif_file)
        return MM_UTIL_ERROR_NONE;
 }
 
-int _gif_encode_move_to_origin(const char *origin)
+int _gif_encode_move_to_file(const char *dst)
 {
-       const char *command = "/bin/cp";
-       long ARG_MAX = sysconf(_SC_ARG_MAX);
-       char *command_line = NULL;
-
-       mm_util_retvm_if((((long)strlen(command) + (long)strlen(GIF_TMP_FILE) + (long)strlen(origin) + 3) >= ARG_MAX),
-               MM_UTIL_ERROR_INVALID_OPERATION, "command is too long");
-
-       command_line = (char *)calloc(1, ARG_MAX);
-       mm_util_retvm_if(command_line == NULL, MM_UTIL_ERROR_OUT_OF_MEMORY, "memory allocation failed");
+       int ret = MM_UTIL_ERROR_NONE;
+       GFile *source = g_file_new_for_path(GIF_TMP_FILE);
+       GFile *destination =  g_file_new_for_path(dst);
+       GError *error = NULL;
 
-       snprintf(command_line, ARG_MAX, "%s %s %s", command, GIF_TMP_FILE, origin);
+       if (source == NULL || destination == NULL) {
+               mm_util_error("could not open file");
+               if (source)
+                       g_object_unref(source);
+               if (destination)
+                       g_object_unref(destination);
+               return MM_UTIL_ERROR_INVALID_OPERATION;
+       }
 
-       mm_util_debug("[MV COMMAND: %s]", command_line);
-       WEXITSTATUS(system(command_line));
+       gboolean result = g_file_copy(source, destination, G_FILE_COPY_OVERWRITE, NULL, NULL, NULL, &error);
+       if (!result) {
+               mm_util_error("g_file_copy failed: %s", error ? error->message : "none");
+               ret = MM_UTIL_ERROR_INVALID_OPERATION;
+       }
 
-       MMUTIL_SAFE_FREE(command_line);
+       if (error)
+               g_error_free(error);
+       g_object_unref(source);
+       g_object_unref(destination);
 
-       return MM_UTIL_ERROR_NONE;
+       return ret;
 }
 
-int _gif_encode_move_to_origin_mem(const unsigned char *src, unsigned long src_size, void **dst, unsigned long *dst_size)
+int _gif_encode_move_to_mem(const unsigned char *src, unsigned long src_size, void **dst, unsigned long *dst_size)
 {
        unsigned char *buffer = NULL;
        mm_util_retvm_if(src == NULL || dst == NULL || dst_size == NULL, MM_UTIL_ERROR_INVALID_PARAMETER, "Invalid parameter");
        mm_util_retvm_if(src_size == 0, MM_UTIL_ERROR_INVALID_PARAMETER, "Invalid parameter");
 
+       mm_util_debug("src_size: %lu", src_size);
+
        buffer = (unsigned char *)calloc(1, src_size);
        mm_util_retvm_if(buffer == NULL, MM_UTIL_ERROR_OUT_OF_MEMORY, "memory allocation failed");
 
-       mm_util_debug("src_size: %lu", src_size);
-
        memcpy(buffer, src, src_size);
 
        *dst = buffer;
@@ -1327,10 +1334,10 @@ int mm_util_gif_encode_save(mm_gif_file_h gif_file_h)
        mm_util_retvm_if(ret != MM_UTIL_ERROR_NONE, ret, "_gif_encode_close_file failed");
 
        if (gif_file->filename != NULL) {
-               ret= _gif_encode_move_to_origin(gif_file->filename);
+               ret= _gif_encode_move_to_file(gif_file->filename);
                mm_util_retvm_if(ret != MM_UTIL_ERROR_NONE, ret, "__move_tmp_to_origin failed");
        } else if (gif_file->write_data_ptr.mem != NULL) {
-               ret = _gif_encode_move_to_origin_mem(gif_file->buffer, gif_file->write_data_ptr.size,
+               ret = _gif_encode_move_to_mem(gif_file->buffer, gif_file->write_data_ptr.size,
                        gif_file->enc_buffer, gif_file->enc_buffer_size);
                MMUTIL_SAFE_FREE(gif_file->buffer);
                gif_file->write_data_ptr.size = 0;
@@ -1397,6 +1404,7 @@ int mm_util_gif_encode(mm_gif_file_h gif_file_h)
        mm_util_retvm_if(gif_file == NULL, MM_UTIL_ERROR_INVALID_PARAMETER, "Invalid parameter");
        mm_util_retvm_if(gif_file->saved_image == NULL, MM_UTIL_ERROR_INVALID_OPERATION, "Invalid parameter");
 
+       /* this way is for image_util_encode_run(), remove it later */
        ret = mm_util_gif_encode_start(gif_file_h);
        mm_util_retvm_if(ret != MM_UTIL_ERROR_NONE, ret, "mm_util_gif_encode_start failed");
 
@@ -1420,7 +1428,7 @@ void mm_util_gif_encode_destroy(mm_gif_file_h gif_file_h)
        gif_file_s *gif_file = (gif_file_s *)gif_file_h;
 
        mm_util_retm_if(gif_file == NULL, "Invalid parameter");
-       mm_util_retm_if(gif_file->GifFile == NULL, "GifFile is already closed");
+       mm_util_retm_if(gif_file->GifFile == NULL, "GifFile has already closed");
 
        if (gif_file->GifFile != NULL) {
                ret = _gif_encode_close_file(gif_file);

diff --git a/packaging/libmm-utility.spec b/packaging/libmm-utility.spec
index 5793eea3b34cfcc869276cbc41e1128b8e15870d..d37cd74ae78f0d73a4e740209a1a17a29b871f2d 100755 (executable)
--- a/packaging/libmm-utility.spec
+++ b/packaging/libmm-utility.spec
@@ -1,6 +1,6 @@
 Name:       libmm-utility
 Summary:    Multimedia Framework Utility Library
-Version:    0.35
+Version:    0.36
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0
@@ -11,6 +11,7 @@ Requires(postun):  /sbin/ldconfig
 Requires: libmm-imgp-gstcs
 BuildRequires:  pkgconfig(dlog)
 BuildRequires:  pkgconfig(glib-2.0)
+BuildRequires:  pkgconfig(gio-2.0)
 BuildRequires:  pkgconfig(gmodule-2.0)
 BuildRequires:  libjpeg-turbo-devel
 BuildRequires:  pkgconfig(libtzplatform-config)