From: Sangchul Lee <sc11.lee@samsung.com>
Date: Wed, 18 May 2022 03:14:21 +0000 (+0900)
Subject: media_editor_private: Fix possible crash when handling callback in idle
X-Git-Tag: submit/tizen/20220524.064107~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=60535bce64a88d7192f42782c7dde820bf08940e;p=platform%2Fcore%2Fapi%2Fmediaeditor.git

media_editor_private: Fix possible crash when handling callback in idle

It was possible to access freed memory in __post_state_cb_in_idle().
The mutex locker is also applied to _post_error_cb_in_idle().

[Version] 0.1.6
[Issue Type] Bug fix

Change-Id: If3fe02e30f53631edcedba59821650dd4ee60a4f
Signed-off-by: Sangchul Lee <sc11.lee@samsung.com>
---

diff --git a/packaging/capi-media-editor.spec b/packaging/capi-media-editor.spec
index 0be2599..fd4ade3 100644
--- a/packaging/capi-media-editor.spec
+++ b/packaging/capi-media-editor.spec
@@ -1,6 +1,6 @@
 Name:       capi-media-editor
 Summary:    A Tizen Media Editor API
-Version:    0.0.5
+Version:    0.0.6
 Release:    0
 Group:      Multimedia/API
 License:    Apache-2.0
diff --git a/src/media_editor_private.c b/src/media_editor_private.c
index e99f9ad..6ef3d9a 100644
--- a/src/media_editor_private.c
+++ b/src/media_editor_private.c
@@ -367,6 +367,7 @@ static gboolean __idle_cb(gpointer user_data)
 static void __post_state_cb_in_idle(mediaeditor_s *editor, mediaeditor_state_e new_state)
 {
     idle_userdata_s *data = NULL;
+    g_autoptr(GMutexLocker) locker = NULL;
 
     RET_IF(editor == NULL, "editor is NULL");
 
@@ -380,9 +381,8 @@ static void __post_state_cb_in_idle(mediaeditor_s *editor, mediaeditor_state_e n
 
     editor->pend_state = new_state;
 
-    g_mutex_lock(&editor->event_src_mutex);
+    locker = g_mutex_locker_new(&editor->event_src_mutex);
     editor->idle_cb_event_source_ids[data->type] = g_idle_add_full(G_PRIORITY_DEFAULT_IDLE, __idle_cb, data, g_free);
-    g_mutex_unlock(&editor->event_src_mutex);
 
     LOG_DEBUG("state will be changed [%s] -> [%s]", __state_str[editor->state], __state_str[new_state]);
 }
@@ -390,6 +390,7 @@ static void __post_state_cb_in_idle(mediaeditor_s *editor, mediaeditor_state_e n
 void _post_error_cb_in_idle(mediaeditor_s *editor, mediaeditor_error_e error)
 {
     idle_userdata_s *data = NULL;
+    g_autoptr(GMutexLocker) locker = NULL;
 
     RET_IF(editor == NULL, "editor is NULL");
 
@@ -398,9 +399,8 @@ void _post_error_cb_in_idle(mediaeditor_s *editor, mediaeditor_error_e error)
     data->type = IDLE_CB_TYPE_ERROR;
     data->new.error = error;
 
-    g_mutex_lock(&editor->event_src_mutex);
+    locker = g_mutex_locker_new(&editor->event_src_mutex);
     editor->idle_cb_event_source_ids[data->type] = g_idle_add_full(G_PRIORITY_DEFAULT_IDLE, __idle_cb, data, g_free);
-    g_mutex_unlock(&editor->event_src_mutex);
 
     LOG_DEBUG("error will occur [0x%x]", error);
 }