From: hj kim <backto.kim@samsung.com>
Date: Fri, 6 Jul 2018 01:41:35 +0000 (+0900)
Subject: Fix Coverity issues
X-Git-Tag: submit/tizen/20180706.044046^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=45dc60fb7036cc2a3696fca78b77d312038a099b;p=platform%2Fcore%2Fapi%2Fmedia-controller.git

Fix Coverity issues

Change-Id: I2e77a011e2401387a282f0768d3a5bd7b8d8ec5a
---

diff --git a/packaging/capi-media-controller.spec b/packaging/capi-media-controller.spec
index 49a6c7c..20fd566 100755
--- a/packaging/capi-media-controller.spec
+++ b/packaging/capi-media-controller.spec
@@ -1,6 +1,6 @@
 Name:       capi-media-controller
 Summary:    A media controller library in Tizen Native API
-Version:    0.1.63
+Version:    0.1.64
 Release:    1
 Group:      Multimedia/API
 License:    Apache-2.0
diff --git a/src/media_controller_ipc.c b/src/media_controller_ipc.c
index 6bb43f4..8d6a07b 100755
--- a/src/media_controller_ipc.c
+++ b/src/media_controller_ipc.c
@@ -407,8 +407,10 @@ int mc_ipc_send_message_to_server(mc_msg_type_e msg_type, mc_priv_type_e priv_ty
 	temp_buf = (char *)calloc(1, full_msg_size + 1);
 	if (temp_buf == NULL) {
 		mc_error("Error memroy allocation");
+		close(sockfd);
 		return MEDIA_CONTROLLER_ERROR_OUT_OF_MEMORY;
 	}
+
 	memcpy(temp_buf, &send_msg, head_msg_size);
 	memcpy(temp_buf + head_msg_size, request_msg, request_msg_size);
 
diff --git a/svc/media_controller_cynara.c b/svc/media_controller_cynara.c
index ab67cba..6c8848e 100755
--- a/svc/media_controller_cynara.c
+++ b/svc/media_controller_cynara.c
@@ -89,7 +89,7 @@ int mc_cynara_receive_untrusted_message(int sockfd, mc_comm_msg_s *recv_msg, mc_
 		}
 	}
 
-	if (recv_msg->msg_size > 0) {
+	if ((recv_msg->msg_size > 0) && (recv_msg->msg_size <= SIZE_MAX - 1)) {
 		size_t remain_size = recv_msg->msg_size;
 		size_t block_size = 0;
 		size_t msg_index = 0;
@@ -124,14 +124,20 @@ int mc_cynara_receive_untrusted_message(int sockfd, mc_comm_msg_s *recv_msg, mc_
 				}
 			}
 
+			if (recv_msg_size > remain_size) {
+				mc_error("recv_msg_size [%zu] remain_size [%zu]", recv_msg_size, remain_size);
+				break;
+			}
+
 			memcpy(recv_msg->msg + msg_index, recv_buf, recv_msg_size);
 			msg_index += recv_msg_size;
+
 			remain_size -= recv_msg_size;
 		}
 
 		MC_SAFE_FREE(recv_buf);
 	} else {
-		mc_error("msg_size is zero");
+		mc_error("wrong msg_size [%zu]", recv_msg->msg_size);
 		recv_msg->msg = NULL;
 	}