Fix TSAM-7948

Received message is at risk for corruption with previous message. So '\0' char is added at end of tokenized message.

[Version] 0.2.76
[Profile] Common
[Issue Type] Bug fix
[Dependency module] N/A
[Dependency commit] N/A
[Test] [W(T) - Boot=(OK), sdb=(OK), Home=(OK), Touch=(OK), Version=tizen-wearable_20160929.1]

Change-Id: Icca98962da0f955ce32c0acc660ccc40754510e2
Signed-off-by: Haesu Gwon <haesu.gwon@samsung.com>

diff --git a/include/camera_private.h b/include/camera_private.h
index 8d84f75..7cbd9e1 100644 (file)
--- a/include/camera_private.h
+++ b/include/camera_private.h
@@ -34,7 +34,7 @@ extern "C" {
 #endif /* BUFFER_MAX_PLANE_NUM */
 
 #define BUFFER_MAX_PLANE_NUM     4
-#define CAMERA_PARSE_STRING_SIZE 20
+#define CAMERA_PARSED_STRING_NUM_MAX 20
 #define CAMERA_CB_TIMEOUT        5
 #define CAMERA_CB_TIMEOUT_LONG   8
 
@@ -113,7 +113,7 @@ typedef struct _camera_cb_info_s {
        /* message receive thread */
        GThread *msg_recv_thread;
        gint msg_recv_running;
-       gchar recv_msg[MUSE_CAMERA_MSG_MAX_LENGTH];
+       gchar recv_msg[MUSE_CAMERA_MSG_MAX_LENGTH * CAMERA_PARSED_STRING_NUM_MAX];
        GCond api_cond[MUSE_CAMERA_API_MAX];
        GMutex api_mutex[MUSE_CAMERA_API_MAX];
        gint api_activating[MUSE_CAMERA_API_MAX];

diff --git a/packaging/capi-media-camera.spec b/packaging/capi-media-camera.spec
index 259c444..909ab32 100644 (file)
--- a/packaging/capi-media-camera.spec
+++ b/packaging/capi-media-camera.spec
@@ -1,6 +1,6 @@
 Name:       capi-media-camera
 Summary:    A Camera API
-Version:    0.2.75
+Version:    0.2.76
 Release:    0
 Group:      Multimedia/API
 License:    Apache-2.0

diff --git a/src/camera.c b/src/camera.c
index f98d43b..d499594 100644 (file)
--- a/src/camera.c
+++ b/src/camera.c
@@ -1784,6 +1784,7 @@ static void *_camera_msg_recv_func(gpointer data)
        int num_token = 0;
        int str_pos = 0;
        int prev_pos = 0;
+       int msg_length = 0;
        char *error_msg = NULL;
        char *recv_msg = NULL;
        char **parse_str = NULL;
@@ -1796,13 +1797,13 @@ static void *_camera_msg_recv_func(gpointer data)
 
        LOGD("start");
 
-       parse_str = (char **)malloc(sizeof(char *) * CAMERA_PARSE_STRING_SIZE);
+       parse_str = (char **)malloc(sizeof(char *) * CAMERA_PARSED_STRING_NUM_MAX);
        if (parse_str == NULL) {
                LOGE("parse_str malloc failed");
                return NULL;
        }
 
-       for (i = 0 ; i < CAMERA_PARSE_STRING_SIZE ; i++) {
+       for (i = 0 ; i < CAMERA_PARSED_STRING_NUM_MAX ; i++) {
                parse_str[i] = (char *)malloc(sizeof(char) * MUSE_CAMERA_MSG_MAX_LENGTH);
                if (parse_str[i] == NULL) {
                        LOGE("parse_str[%d] malloc failed", i);
@@ -1829,13 +1830,26 @@ static void *_camera_msg_recv_func(gpointer data)
                /*LOGD("recvMSg : %s, length : %d", recv_msg, ret);*/
 
                /* Need to split the combined entering msgs.
-                   This module supports up to 200 combined msgs. */
+                   This module supports up to 20 combined msgs. */
                for (str_pos = 0; str_pos < ret; str_pos++) {
                        if (recv_msg[str_pos] == '}') {
-                               strncpy(parse_str[num_token], recv_msg + prev_pos, str_pos - prev_pos + 1);
-                               /*LOGD("splitted msg : [%s], Index : %d", parse_str[num_token], num_token);*/
+                               msg_length = str_pos - prev_pos + 1;
+
+                               if (msg_length < MUSE_CAMERA_MSG_MAX_LENGTH) {
+                                       strncpy(parse_str[num_token], recv_msg + prev_pos, msg_length);
+                                       parse_str[num_token][msg_length] = '\0';
+                                       num_token++;
+                                       /*LOGD("splitted msg : [%s], Index : %d", parse_str[num_token], num_token);*/
+                               } else {
+                                       LOGW("too long message : length %d [%s]", msg_length, recv_msg + prev_pos);
+                               }
+
                                prev_pos = str_pos + 1;
-                               num_token++;
+
+                               if (num_token >= CAMERA_PARSED_STRING_NUM_MAX) {
+                                       LOGE("There's too many tokens. Remained msg : %s", recv_msg[++str_pos]);
+                                       break;
+                               }
                        }
                }
 
@@ -1843,7 +1857,7 @@ static void *_camera_msg_recv_func(gpointer data)
 
                /* Re-construct to the useful single msg. */
                for (i = 0; i < num_token; i++) {
-                       if (i >= CAMERA_PARSE_STRING_SIZE) {
+                       if (i >= CAMERA_PARSED_STRING_NUM_MAX) {
                                LOGE("invalid token index %d", i);
                                break;
                        }
@@ -1942,7 +1956,7 @@ static void *_camera_msg_recv_func(gpointer data)
 
 CB_HANDLER_EXIT:
        if (parse_str) {
-               for (i = 0 ; i < CAMERA_PARSE_STRING_SIZE ; i++) {
+               for (i = 0 ; i < CAMERA_PARSED_STRING_NUM_MAX ; i++) {
                        if (parse_str[i]) {
                                free(parse_str[i]);
                                parse_str[i] = NULL;