Fix tainted data and minor change

  - Add to check return value of fread due to tainted data
  - Add to check minimum value of '((x[0] << 8) | (x[1]))'
  - minor change. change 'long' and 'gsize' to 'size_t'

Change-Id: Ib71be1c7caeea8c99cb6194734599930d4d64bc1

diff --git a/packaging/libmedia-service.spec b/packaging/libmedia-service.spec
index a7f5c64..3276801 100644 (file)
--- a/packaging/libmedia-service.spec
+++ b/packaging/libmedia-service.spec
@@ -1,6 +1,6 @@
 Name:       libmedia-service
 Summary:    Media information service library for multimedia applications
-Version: 0.4.13
+Version: 0.4.14
 Release:    0
 Group:      Multimedia/Libraries
 License:    Apache-2.0 and PD

diff --git a/src/common/media-svc-util.c b/src/common/media-svc-util.c
index aa2881a..4e44550 100644 (file)
--- a/src/common/media-svc-util.c
+++ b/src/common/media-svc-util.c
@@ -806,12 +806,10 @@ int _media_svc_set_media_info(media_svc_content_info_s *content_info, const char
 static int __image_360_check(const char *path)
 {
        FILE *fp = NULL;
-       long app1_size = 0;
-       int size = 1;
+       size_t size = 0, app1_size = 0, exif_app1_xmp_size = 0;
        unsigned char exif_header[4] = {0, };
        unsigned char exif_app1[2] = {0, };
        unsigned char exif_app1_xmp[2] = {0, };
-       gsize exif_app1_xmp_size = 0;
        unsigned char exif_app1_xmp_t[2] = {0, };
        GString *xmp_data = NULL;
        int fdata = 0;
@@ -827,32 +825,35 @@ static int __image_360_check(const char *path)
                goto ERROR;
 
        size = fread(exif_header, 1, sizeof(exif_header), fp);
-       if (size <= 0)
+       if (size != sizeof(exif_header))
                goto ERROR;
 
        if ((exif_header[0] == 0xff) && (exif_header[1] == 0xd8) && (exif_header[2] == 0xff) && (exif_header[3] == 0xe1)) {
                size = fread(exif_app1, 1, sizeof(exif_app1), fp);
-               if (size <= 0)
+               if (size != sizeof(exif_app1))
                        goto ERROR;
 
-               app1_size = (long)((exif_app1[0] << 8) | (exif_app1[1])) - 2 ;
+               if ((size_t)((exif_app1[0] << 8) | (exif_app1[1])) <= 2)
+                       goto ERROR;
 
+               app1_size = (size_t)((exif_app1[0] << 8) | (exif_app1[1])) - 2 ;
                if (fseek(fp, app1_size, SEEK_CUR) != 0)
                        goto ERROR;
 
                size = fread(exif_app1_xmp, 1, sizeof(exif_app1_xmp), fp);
-               if (size <= 0)
+               if (size != sizeof(exif_app1_xmp))
                        goto ERROR;
 
                if ((exif_app1_xmp[0] == 0xff) && (exif_app1_xmp[1] == 0xe1)) {
                        size = fread(exif_app1_xmp_t, 1, sizeof(exif_app1_xmp_t), fp);
-                       if (size <= 0)
+                       if (size != sizeof(exif_app1_xmp_t))
                                goto ERROR;
 
-                       exif_app1_xmp_size = (long)((exif_app1_xmp_t[0] << 8) | (exif_app1_xmp_t[1])) - 2;
-                       if (exif_app1_xmp_size == 0)
+                       if ((size_t)((exif_app1_xmp_t[0] << 8) | (exif_app1_xmp_t[1])) <= 2)
                                goto ERROR;
 
+                       exif_app1_xmp_size = (size_t)((exif_app1_xmp_t[0] << 8) | (exif_app1_xmp_t[1])) - 2;
+
                        xmp_data = g_string_sized_new(exif_app1_xmp_size);
 
                        do {