Fix stack-buffer-overflow when the album-artwork is resized

Change-Id: I056c0aef612ec483ed3e28cfaa6773c45c9aa50f

diff --git a/packaging/libmedia-service.spec b/packaging/libmedia-service.spec
index b146918..e7e93fa 100644 (file)
--- a/packaging/libmedia-service.spec
+++ b/packaging/libmedia-service.spec
@@ -1,6 +1,6 @@
 Name:       libmedia-service
 Summary:    Media information service library for multimedia applications
-Version: 0.3.21
+Version: 0.3.22
 Release:    0
 Group:      Multimedia/Libraries
 License:    Apache-2.0 and PD

diff --git a/src/common/media-svc-util.c b/src/common/media-svc-util.c
index 26112f7..329ebbd 100755 (executable)
--- a/src/common/media-svc-util.c
+++ b/src/common/media-svc-util.c
@@ -624,19 +624,20 @@ static int __media_svc_resize_artwork(unsigned char *image, unsigned int size, c
 {
        int ret = MS_MEDIA_ERR_NONE;
        unsigned char *raw_image = NULL;
-       int width = 0;
-       int height = 0;
+       unsigned long width = 0;
+       unsigned long height = 0;
        unsigned long long raw_size = 0;
        void *resized_raw_image = NULL;
        int resized_width = 0;
        int resized_height = 0;
        unsigned int buf_size = 0;
        image_util_colorspace_e colorspace = IMAGE_UTIL_COLORSPACE_RGB888;
+       unsigned long long resized_size = 0;
 
        if ((strstr(img_format, "jpeg") != NULL) || (strstr(img_format, "jpg") != NULL) || (strstr(img_format, "JPG") != NULL)) {
                media_svc_debug("type [jpeg] size [%d]", size);
                /* decoding */
-               ret = __media_svc_decode_jpeg(image, (unsigned long long)size, colorspace, &raw_image, (unsigned long *)&width, (unsigned long *)&height, &raw_size);
+               ret = __media_svc_decode_jpeg(image, (unsigned long long)size, colorspace, &raw_image, &width, &height, &raw_size);
                if (ret != MS_MEDIA_ERR_NONE) {
                        media_svc_error("__media_svc_decode_jpeg failed");
                        *resize_image = image;
@@ -681,7 +682,7 @@ static int __media_svc_resize_artwork(unsigned char *image, unsigned int size, c
 
                memset(resized_raw_image, 0, buf_size);
 
-               ret = image_util_resize(resized_raw_image, &resized_width, &resized_height, raw_image, width, height, colorspace);
+               ret = image_util_resize(resized_raw_image, &resized_width, &resized_height, raw_image, (int)width, (int)height, colorspace);
                if (ret != MS_MEDIA_ERR_NONE) {
                        media_svc_error("image_util_resize failed");
                        *resize_image = image;
@@ -693,7 +694,7 @@ static int __media_svc_resize_artwork(unsigned char *image, unsigned int size, c
                SAFE_FREE(raw_image);
 
                /* encoding */
-               ret = __media_svc_encode_jpeg((unsigned char *)resized_raw_image, (unsigned long)resized_width, (unsigned long)resized_height, colorspace, 90, resize_image, (unsigned long long *)resize_size);
+               ret = __media_svc_encode_jpeg((unsigned char *)resized_raw_image, (unsigned long)resized_width, (unsigned long)resized_height, colorspace, 90, resize_image, &resized_size);
                if (ret != MS_MEDIA_ERR_NONE) {
                        media_svc_error("__media_svc_encode_jpeg failed");
                        *resize_image = image;
@@ -709,6 +710,7 @@ static int __media_svc_resize_artwork(unsigned char *image, unsigned int size, c
                        *resize_size = size;
                        return MS_MEDIA_ERR_NONE;
                }
+               *resize_size = (unsigned int)resized_size;
        } else if ((strstr(img_format, "png") != NULL) || (strstr(img_format, "PNG") != NULL)) {
                media_svc_debug("type [png] size [%d]", size);
                *resize_image = image;