Bug fix. insecure strncmp

 - fix svace issue (LIB.INSECURE_STRNCMP)

The problem that such using checks only prefix of string because null-terminator is not checked.
It may be source of vulnarability when using for compariso passwords.
Correct pattern should use strlen(arg) + 1.

Change-Id: Ib66d43aac119b265c462b0ba35519caa3885d631

diff --git a/common/mm_util_private.c b/common/mm_util_private.c
index d44cdee1ceaa25d0b67397ccfddc14d1db588286..2f9eb42793fa1413552278096f195f75151037cc 100644 (file)
--- a/common/mm_util_private.c
+++ b/common/mm_util_private.c
@@ -46,7 +46,7 @@ int mm_util_safe_fopen(const char *path, const char *mode, FILE **fp)
                                mm_util_stderror("realpath failed");
                                return MM_UTIL_ERROR_NO_SUCH_FILE;
                        }
-                       if (strncmp(path, _realpath, strlen(path))) {
+                       if (strncmp(path, _realpath, strlen(path) + 1)) {
                                mm_util_error("file is symbolic link");
                                free(_realpath);
                                return MM_UTIL_ERROR_NO_SUCH_FILE;

diff --git a/packaging/libmm-utility.spec b/packaging/libmm-utility.spec
index 7958d9d9569b1fbdab162dc9d1b40ea0568a037b..e0682b2042d21353ec9fc7935086cbe3964aacf0 100644 (file)
--- a/packaging/libmm-utility.spec
+++ b/packaging/libmm-utility.spec
@@ -1,6 +1,6 @@
 Name:       libmm-utility
 Summary:    Multimedia Framework Utility Library
-Version:    0.4.24
+Version:    0.4.25
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0