From: Jiyong Min <jiyong.min@samsung.com>
Date: Sun, 20 Aug 2017 23:26:14 +0000 (+0900)
Subject: Replace system() to g_file_copy() due to exploitable vulnerabilities.
X-Git-Tag: submit/tizen/20170824.093048~6
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f04334598d1c22d0a169f6e80f1aa6ff3224095d;p=platform%2Fcore%2Fmultimedia%2Flibmm-utility.git

Replace system() to g_file_copy() due to exploitable vulnerabilities.

- Please refer to below webpage in detail
- https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=2130132

Change-Id: I790a24e92439b73d4c6f43e563fc7da2d317d262
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>
---

diff --git a/configure.ac b/configure.ac
index 677db5c..b5048a9 100755
--- a/configure.ac
+++ b/configure.ac
@@ -41,6 +41,10 @@ PKG_CHECK_MODULES(GLIB, glib-2.0)
 AC_SUBST(GLIB_CFLAGS)
 AC_SUBST(GLIB_LIBS)
 
+PKG_CHECK_MODULES(GIO, gio-2.0)
+AC_SUBST(GIO_CFLAGS)
+AC_SUBST(GIO_LIBS)
+
 PKG_CHECK_MODULES(GMODULE, gmodule-2.0)
 AC_SUBST(GMODULE_CFLAGS)
 AC_SUBST(GMODULE_LIBS)
diff --git a/gif/Makefile.am b/gif/Makefile.am
index 7c9734d..74b00f9 100644
--- a/gif/Makefile.am
+++ b/gif/Makefile.am
@@ -10,12 +10,14 @@ libmmutil_gif_la_SOURCES = mm_util_gif.c
 libmmutil_gif_la_CFLAGS = -I$(srcdir)/include \
 				-I$(srcdir)/../imgp/include \
 				$(GLIB_CFLAGS) \
+				$(GIO_CFLAGS) \
 				$(MEDIA_CFLAGS) \
 				-I/usr/include \
 				$(SYSTEMINFO_CFLAGS) \
 				$(srcdir)/../imgp/libmmutil_imgp.la
 
 libmmutil_gif_la_LIBADD = $(GLIB_LIBS) -lgif -ldl -lexif -lttrace\
+				$(GIO_LIBS) \
 				$(GMODULE_LIBS) \
 				$(SYSTEMINFO_LIBS)\
 				$(MEDIA_LIBS)
diff --git a/gif/mm_util_gif.c b/gif/mm_util_gif.c
index 3f42c4e..314c81c 100755
--- a/gif/mm_util_gif.c
+++ b/gif/mm_util_gif.c
@@ -30,15 +30,14 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
-#include <stdio.h>				/* fopen() */
-#include <system_info.h>
+#include <gio/gio.h>
 
 #include "mm_util_gif.h"
 #include "mm_util_gif_private.h"
 #include "mm_util_debug.h"
 
 #include <limits.h>
-#define GIF_TMP_FILE	"/tmp/libmm_gif.gif"
+#define GIF_TMP_FILE	"/tmp/.libmm_gif.gif"
 
 #define COLORMAP_FREE(map)			{ if (map != NULL) { GifFreeMapObject(map); map = NULL; } }
 #define RGB_ALLOC(r, g, b, number, size)	{ r = calloc(1, number * size); g = calloc(1, number * size); b = calloc(1, number * size); }
@@ -540,7 +539,7 @@ static int __gif_extract_rgb(gif_image_s *gif_image, unsigned long num_of_pixels
 	GifByteType *redP, *greenP, *blueP;
 	GifByteType *buffer = (GifByteType*)gif_image->image_data;
 
-	mm_util_debug("__gif_extract_rgb_from_image");
+	mm_util_debug("__gif_extract_rgb");
 
 	RGB_ALLOC(redP, greenP, blueP, num_of_pixels, sizeof(GifByteType));
 
@@ -712,39 +711,47 @@ int _gif_encode_close_file(gif_file_s *gif_file)
 	return MM_UTIL_ERROR_NONE;
 }
 
-int _gif_encode_move_to_origin(const char *origin)
+int _gif_encode_move_to_file(const char *dst)
 {
-	const char *command = "/bin/cp";
-	long ARG_MAX = sysconf(_SC_ARG_MAX);
-	char *command_line = NULL;
-
-	mm_util_retvm_if((((long)strlen(command) + (long)strlen(GIF_TMP_FILE) + (long)strlen(origin) + 3) >= ARG_MAX),
-		MM_UTIL_ERROR_INVALID_OPERATION, "command is too long");
-
-	command_line = (char *)calloc(1, ARG_MAX);
-	mm_util_retvm_if(command_line == NULL, MM_UTIL_ERROR_OUT_OF_MEMORY, "memory allocation failed");
+	int ret = MM_UTIL_ERROR_NONE;
+	GFile *source = g_file_new_for_path(GIF_TMP_FILE);
+	GFile *destination =  g_file_new_for_path(dst);
+	GError *error = NULL;
 
-	snprintf(command_line, ARG_MAX, "%s %s %s", command, GIF_TMP_FILE, origin);
+	if (source == NULL || destination == NULL) {
+		mm_util_error("could not open file");
+		if (source)
+			g_object_unref(source);
+		if (destination)
+			g_object_unref(destination);
+		return MM_UTIL_ERROR_INVALID_OPERATION;
+	}
 
-	mm_util_debug("[MV COMMAND: %s]", command_line);
-	WEXITSTATUS(system(command_line));
+	gboolean result = g_file_copy(source, destination, G_FILE_COPY_OVERWRITE, NULL, NULL, NULL, &error);
+	if (!result) {
+		mm_util_error("g_file_copy failed: %s", error ? error->message : "none");
+		ret = MM_UTIL_ERROR_INVALID_OPERATION;
+	}
 
-	MMUTIL_SAFE_FREE(command_line);
+	if (error)
+		g_error_free(error);
+	g_object_unref(source);
+	g_object_unref(destination);
 
-	return MM_UTIL_ERROR_NONE;
+	return ret;
 }
 
-int _gif_encode_move_to_origin_mem(const unsigned char *src, unsigned long src_size, void **dst, unsigned long *dst_size)
+int _gif_encode_move_to_mem(const unsigned char *src, unsigned long src_size, void **dst, unsigned long *dst_size)
 {
 	unsigned char *buffer = NULL;
  	mm_util_retvm_if(src == NULL || dst == NULL || dst_size == NULL, MM_UTIL_ERROR_INVALID_PARAMETER, "Invalid parameter");
 	mm_util_retvm_if(src_size == 0, MM_UTIL_ERROR_INVALID_PARAMETER, "Invalid parameter");
 
+	mm_util_debug("src_size: %lu", src_size);
+
 	buffer = (unsigned char *)calloc(1, src_size);
 	mm_util_retvm_if(buffer == NULL, MM_UTIL_ERROR_OUT_OF_MEMORY, "memory allocation failed");
 
-	mm_util_debug("src_size: %lu", src_size);
-
  	memcpy(buffer, src, src_size);
 
 	*dst = buffer;
@@ -1327,10 +1334,10 @@ int mm_util_gif_encode_save(mm_gif_file_h gif_file_h)
 	mm_util_retvm_if(ret != MM_UTIL_ERROR_NONE, ret, "_gif_encode_close_file failed");
 
 	if (gif_file->filename != NULL) {
-		ret= _gif_encode_move_to_origin(gif_file->filename);
+		ret= _gif_encode_move_to_file(gif_file->filename);
 		mm_util_retvm_if(ret != MM_UTIL_ERROR_NONE, ret, "__move_tmp_to_origin failed");
 	} else if (gif_file->write_data_ptr.mem != NULL) {
-		ret = _gif_encode_move_to_origin_mem(gif_file->buffer, gif_file->write_data_ptr.size,
+		ret = _gif_encode_move_to_mem(gif_file->buffer, gif_file->write_data_ptr.size,
 			gif_file->enc_buffer, gif_file->enc_buffer_size);
 		MMUTIL_SAFE_FREE(gif_file->buffer);
 		gif_file->write_data_ptr.size = 0;
@@ -1397,6 +1404,7 @@ int mm_util_gif_encode(mm_gif_file_h gif_file_h)
 	mm_util_retvm_if(gif_file == NULL, MM_UTIL_ERROR_INVALID_PARAMETER, "Invalid parameter");
 	mm_util_retvm_if(gif_file->saved_image == NULL, MM_UTIL_ERROR_INVALID_OPERATION, "Invalid parameter");
 
+	/* this way is for image_util_encode_run(), remove it later */
 	ret = mm_util_gif_encode_start(gif_file_h);
 	mm_util_retvm_if(ret != MM_UTIL_ERROR_NONE, ret, "mm_util_gif_encode_start failed");
 
@@ -1420,7 +1428,7 @@ void mm_util_gif_encode_destroy(mm_gif_file_h gif_file_h)
 	gif_file_s *gif_file = (gif_file_s *)gif_file_h;
 
 	mm_util_retm_if(gif_file == NULL, "Invalid parameter");
-	mm_util_retm_if(gif_file->GifFile == NULL, "GifFile is already closed");
+	mm_util_retm_if(gif_file->GifFile == NULL, "GifFile has already closed");
 
 	if (gif_file->GifFile != NULL) {
 		ret = _gif_encode_close_file(gif_file);
diff --git a/packaging/libmm-utility.spec b/packaging/libmm-utility.spec
index 5793eea..d37cd74 100755
--- a/packaging/libmm-utility.spec
+++ b/packaging/libmm-utility.spec
@@ -1,6 +1,6 @@
 Name:       libmm-utility
 Summary:    Multimedia Framework Utility Library
-Version:    0.35
+Version:    0.36
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0
@@ -11,6 +11,7 @@ Requires(postun):  /sbin/ldconfig
 Requires: libmm-imgp-gstcs
 BuildRequires:  pkgconfig(dlog)
 BuildRequires:  pkgconfig(glib-2.0)
+BuildRequires:  pkgconfig(gio-2.0)
 BuildRequires:  pkgconfig(gmodule-2.0)
 BuildRequires:  libjpeg-turbo-devel
 BuildRequires:  pkgconfig(libtzplatform-config)