From: Jeongmo Yang Date: Tue, 11 Jul 2017 01:45:21 +0000 (+0900) Subject: Fix security issue - buffer overflow X-Git-Tag: submit/tizen/20170711.075327^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=27c314b4e55f792383d3fae076756d6adf94d939;p=platform%2Fcore%2Fmultimedia%2Flibmm-camcorder.git Fix security issue - buffer overflow [Version] 0.10.125 [Profile] Common [Issue Type] Security issue [Issue#] SATIZENVUL-916 [Dependency module] N/A [Test] [M(T) - Boot=(OK), sdb=(OK), Home=(OK), Touch=(OK), Version=tizen-unified_20170704.3] Change-Id: Ida060c371fac6a6366b5160ed3862799d4fec564 Signed-off-by: Jeongmo Yang --- diff --git a/packaging/libmm-camcorder.spec b/packaging/libmm-camcorder.spec index 30121e5..21a6735 100644 --- a/packaging/libmm-camcorder.spec +++ b/packaging/libmm-camcorder.spec @@ -1,6 +1,6 @@ Name: libmm-camcorder Summary: Camera and recorder library -Version: 0.10.124 +Version: 0.10.125 Release: 0 Group: Multimedia/Libraries License: Apache-2.0 diff --git a/src/mm_camcorder_util.c b/src/mm_camcorder_util.c index cfcaa2d..77f3a43 100644 --- a/src/mm_camcorder_util.c +++ b/src/mm_camcorder_util.c @@ -46,6 +46,8 @@ -----------------------------------------------------------------------*/ #define TIME_STRING_MAX_LEN 64 #define __MMCAMCORDER_CAPTURE_WAIT_TIMEOUT 5 +#define __MMCAMCORDER_MAX_WIDTH 8192 +#define __MMCAMCORDER_MAX_HEIGHT 8192 #define FPUTC_CHECK(x_char, x_file) \ { \ @@ -2239,6 +2241,12 @@ static gboolean _mmcamcorder_convert_NV12_to_I420(unsigned char *src, guint widt return FALSE; } + /* buffer overflow prevention check */ + if (width > __MMCAMCORDER_MAX_WIDTH || height > __MMCAMCORDER_MAX_HEIGHT) { + _mmcam_dbg_err("too large size %d x %d", width, height); + return FALSE; + } + dst_size = (width * height * 3) >> 1; _mmcam_dbg_log("NV12 -> I420 : %dx%d, dst size %d", width, height, dst_size);