Fix the crash issue with Gear 360

author DoHyun Pyun <dh79.pyun@samsung.com>

Thu, 23 Jan 2020 04:09:38 +0000 (13:09 +0900)

committer DoHyun Pyun <dh79.pyun@samsung.com>

Thu, 23 Jan 2020 07:11:18 +0000 (16:11 +0900)
author DoHyun Pyun <dh79.pyun@samsung.com>
Thu, 23 Jan 2020 04:09:38 +0000 (13:09 +0900)
committer DoHyun Pyun <dh79.pyun@samsung.com>
Thu, 23 Jan 2020 07:11:18 +0000 (16:11 +0900)
diff --git a/packaging/libmtp.spec b/packaging/libmtp.spec

index a403f8b..401b8af 100755 (executable)
--- a/packaging/libmtp.spec
+++ b/packaging/libmtp.spec
@@ -3,7 +3,7 @@
  Name:       libmtp
  Summary:    Library for media transfer protocol (mtp)
  Version:    1.1.11
-Release:    12
+Release:    13
  Group:      Network & Connectivity/Other
  License:    LGPL-2.1
  Source0:    libmtp-%{version}.tar.gz
diff --git a/src/libopenusb1-glue.c b/src/libopenusb1-glue.c

index 1e04f04..8f670eb 100755 (executable)
--- a/src/libopenusb1-glue.c
+++ b/src/libopenusb1-glue.c
@@ -1297,6 +1297,16 @@ static uint16_t ptp_usb_getpacket(PTPParams *params,
      ret = ptp_read_func(packet_size, &memhandler, params->data, rlen, 0);
      ptp_exit_recv_memory_handler(&memhandler, &x, rlen);
      if (x) {
+        /*
+         * [DF200122-01357] Crash observed on accessing 360 camera via MTP .
+         */
+        if (*rlen > sizeof(PTPUSBBulkContainer)) {
+            libusb_glue_error(params,
+                "PTP: The packet size is so large");
+            free(x);
+            return PTP_RC_NoValidObjectInfo;
+        }
+
          memcpy(packet, x, *rlen);
          free(x);
      }
diff --git a/src/libusb-glue.c b/src/libusb-glue.c

index 1b477a4..14daf53 100755 (executable)
--- a/src/libusb-glue.c
+++ b/src/libusb-glue.c
@@ -1288,8 +1288,18 @@ static uint16_t ptp_usb_getpacket(PTPParams *params,
         ret = ptp_read_func(packet_size, &memhandler, params->data, rlen, 0);
         ptp_exit_recv_memory_handler (&memhandler, &x, rlen);
         if (x) {
-               memcpy (packet, x, *rlen);
-               free (x);
+               /*
+                * [DF200122-01357] Crash observed on accessing 360 camera via MTP .
+                */
+               if (*rlen > sizeof(PTPUSBBulkContainer)) {
+                       libusb_glue_error(params,
+                       "PTP: The packet size is so large");
+                       free(x);
+                       return PTP_RC_NoValidObjectInfo;
+               }
+
+               memcpy(packet, x, *rlen);
+               free(x);
         }
         return ret;
  }
diff --git a/src/libusb1-glue.c b/src/libusb1-glue.c

index 5c8c46a..c4527d2 100755 (executable)
--- a/src/libusb1-glue.c
+++ b/src/libusb1-glue.c
@@ -1343,8 +1343,18 @@ static uint16_t ptp_usb_getpacket(PTPParams *params,
         ret = ptp_read_func(packet_size, &memhandler, params->data, rlen, 0);
         ptp_exit_recv_memory_handler (&memhandler, &x, rlen);
         if (x) {
-               memcpy (packet, x, *rlen);
-               free (x);
+               /*
+                * [DF200122-01357] Crash observed on accessing 360 camera via MTP .
+                */
+               if (*rlen > sizeof(PTPUSBBulkContainer)) {
+                       libusb_glue_error(params,
+                       "PTP: The packet size is so large");
+                       free(x);
+                       return PTP_RC_NoValidObjectInfo;
+               }
+
+               memcpy(packet, x, *rlen);
+               free(x);
         }
         return ret;
  }
author	DoHyun Pyun <dh79.pyun@samsung.com>
	Thu, 23 Jan 2020 04:09:38 +0000 (13:09 +0900)
committer	DoHyun Pyun <dh79.pyun@samsung.com>
	Thu, 23 Jan 2020 07:11:18 +0000 (16:11 +0900)
packaging/libmtp.spec		patch \| blob \| history
src/libopenusb1-glue.c		patch \| blob \| history
src/libusb-glue.c		patch \| blob \| history
src/libusb1-glue.c		patch \| blob \| history