projects / platform / core / multimedia / libmedia-service.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 86f959e)
Modify to use vulnerable function 'sscanf' 62/126062/1 accepted/tizen_3.0_ivi accepted/tizen/3.0/common/20170508.152949 accepted/tizen/3.0/ivi/20170508.050042 accepted/tizen/3.0/mobile/20170508.050007 accepted/tizen/3.0/tv/20170508.050011 accepted/tizen/3.0/wearable/20170508.050031 submit/tizen_3.0-common/20170508.080135 submit/tizen_3.0-common/20170508.081301 submit/tizen_3.0-common/20170508.091535 submit/tizen_3.0/20170427.223233 submit/tizen_3.0_common/20170508.091735
authorJiyong Min <jiyong.min@samsung.com>
Thu, 20 Apr 2017 01:05:13 +0000 (10:05 +0900)
committerJiyong Min <jiyong.min@samsung.com>
Thu, 20 Apr 2017 01:24:21 +0000 (10:24 +0900)
Change-Id: I199cb2c166a454e2765f65f837c728334fa19d91
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>
packaging/libmedia-service.spec patch | blob | history
src/common/media-svc-util.c patch | blob | history

diff --git a/packaging/libmedia-service.spec b/packaging/libmedia-service.spec
index 9789b99..1ffa6ef 100644 (file)
--- a/packaging/libmedia-service.spec
+++ b/packaging/libmedia-service.spec
@@ -1,6 +1,6 @@
 Name:       libmedia-service
 Summary:    Media information service library for multimedia applications
-Version: 0.2.91
+Version: 0.2.92
 Release:    0
 Group:      Multimedia/Libraries
 License:    Apache-2.0 and public domain
diff --git a/src/common/media-svc-util.c b/src/common/media-svc-util.c
index 2331fc8..d3492c8 100755 (executable)
--- a/src/common/media-svc-util.c
+++ b/src/common/media-svc-util.c
@@ -827,6 +827,33 @@ static int __media_svc_resize_artwork(unsigned char *image, unsigned int size, c
        return ret;
 }
 
+static int __media_svc_safe_atoi(char *buffer, int *si)
+{
+       char *end;
+       errno = 0;
+       const long sl = strtol(buffer, &end, 10);
+
+       if (end == buffer) {
+               media_svc_error("not a decimal number");
+               return MS_MEDIA_ERR_INTERNAL;
+       } else if ('\0' != *end) {
+               media_svc_error("extra characters at end of input: %s", end);
+               return MS_MEDIA_ERR_INTERNAL;
+       } else if ((LONG_MIN == sl || LONG_MAX == sl) && (ERANGE == errno)) {
+               media_svc_error("out of range of type long");
+               return MS_MEDIA_ERR_INTERNAL;
+       } else if (sl > INT_MAX) {
+               media_svc_error("greater than INT_MAX");
+               return MS_MEDIA_ERR_INTERNAL;
+       } else if (sl < INT_MIN) {
+               media_svc_error("less than INT_MIN");
+               return MS_MEDIA_ERR_INTERNAL;
+       } else {
+               *si = (int)sl;
+       }
+       return MS_MEDIA_ERR_NONE;
+}
+
 static int _media_svc_save_image(unsigned char *image, unsigned int size, char *image_path, uid_t uid)
 {
        media_svc_debug("start save image, path [%s] image size [%d]", image_path, size);
@@ -2076,7 +2103,7 @@ int _media_svc_extract_media_metadata(sqlite3 *handle, media_svc_content_info_s
                mmf_error = mm_file_get_attrs(tag, &err_attr_name, MM_FILE_TAG_DATE, &p, &size, NULL);
                if ((!(extracted_field & MEDIA_SVC_EXTRACTED_FIELD_YEAR)) && (mmf_error == FILEINFO_ERROR_NONE) && (size == 4)) {
                        int year = 0;
-                       if ((p != NULL) && (sscanf(p, "%d", &year))) {
+                       if ((p != NULL) && ((ret = __media_svc_safe_atoi(p, &year)) == MS_MEDIA_ERR_NONE)) {
                                ret = __media_svc_malloc_and_strncpy(&content_info->media_meta.year, p);
                                if (ret != MS_MEDIA_ERR_NONE)
                                        media_svc_error("strcpy error");
Domain: Multimedia / Media Content;